Skip to content

Commit ae89d2e

Browse files
committed
security: pin base images to python:3.12.13, remove apt/apk upgrade
Per Docker best practices, security patching should come from rebuilding with updated base image tags, not from apt-get upgrade inside the Dockerfile. Pinning to a specific patch version ensures reproducible builds. Bump the version and rebuild to pick up new patches.
1 parent 9941db7 commit ae89d2e

4 files changed

Lines changed: 8 additions & 10 deletions

File tree

Dockerfile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
1-
FROM python:3.12
1+
# Pin to a specific patch version for reproducible builds.
2+
# To pick up security patches, bump this version and rebuild.
3+
FROM python:3.12.13
24

35
RUN apt-get update && apt-get install -y --no-install-recommends \
46
# Core utilities
@@ -37,8 +39,6 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
3739
# Docker CLI + Compose + Buildx (mount socket at runtime for access)
3840
RUN curl -fsSL https://get.docker.com | sh
3941

40-
# Pull in all available security patches for installed packages.
41-
RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
4242

4343
WORKDIR /app
4444

Dockerfile.alpine

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@
2929
# Compiles Python dependencies in an isolated prefix. Alpine needs
3030
# musl-dev and gcc for most C extensions.
3131
# --------------------------------------------------------------------------
32-
FROM python:3.12-alpine AS builder
32+
FROM python:3.12.13-alpine AS builder
3333

3434
WORKDIR /src
3535

@@ -55,7 +55,7 @@ RUN pip install --no-cache-dir --prefix=/install .
5555
# Stage 2: Runtime
5656
# Tiny Alpine runtime. No compilers, no build tools, no sudo.
5757
# --------------------------------------------------------------------------
58-
FROM python:3.12-alpine
58+
FROM python:3.12.13-alpine
5959

6060
# ── Runtime system packages ────────────────────────────────────────────────
6161
#
@@ -94,8 +94,6 @@ COPY --from=builder /install /usr/local
9494
WORKDIR /app
9595
COPY . .
9696

97-
# Upgrade base packages to pull in security fixes (e.g. zlib CVE-2026-22184).
98-
RUN apk upgrade --no-cache
9997

10098
# Install the app itself (fast — all deps are already present) and grant
10199
# the Python binary cap_setgid so multi-user mode can call setgid().

Dockerfile.slim

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@
2525
# Compiles Python dependencies in an isolated prefix so we can copy only
2626
# the final result into the slim runtime image — no compilers shipped.
2727
# --------------------------------------------------------------------------
28-
FROM python:3.12-slim AS builder
28+
FROM python:3.12.13-slim AS builder
2929

3030
WORKDIR /src
3131

@@ -51,7 +51,7 @@ RUN pip install --no-cache-dir --prefix=/install .
5151
# Stage 2: Runtime
5252
# The actual image that ships. No compilers, no build tools, no sudo.
5353
# --------------------------------------------------------------------------
54-
FROM python:3.12-slim
54+
FROM python:3.12.13-slim
5555

5656
# ── Runtime system packages ────────────────────────────────────────────────
5757
#

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ That's it — you're up and running at `http://localhost:8000`.
2929
| | `latest` | `slim` | `alpine` |
3030
|---|---|---|---|
3131
| **Best for** | AI agent sandboxes | Production / hardened | Edge / CI / minimal footprint |
32-
| **Size** | ~2 GB | ~500 MB | ~300 MB |
32+
| **Size** | ~4 GB | ~430 MB | ~230 MB |
3333
| **Bundled tooling** | Node.js, gcc, ffmpeg, LaTeX, Docker CLI, data science libs | git, curl, jq | git, curl, jq |
3434
| **Install packages at runtime** | ✔ (has `sudo`) |||
3535
| **Multi-user / egress firewall** ||||

0 commit comments

Comments
 (0)