fix(docker image security): Improve dependency pinning and disable ab…

…ility to build image from different tag from what specified in Dockefile (#830)
antonbabenko · Feb 26, 2025 · 2c3aa85 · 2c3aa85
1 parent 8c1c83d
commit 2c3aa85
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
@@ -185,7 +185,7 @@ jobs:
         python -m
         pip install
         --user
-        setuptools-scm
+        setuptools-scm~=8.2
       shell: bash
     - name: Set the current dist version from Git
       id: scm-version

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,6 @@
-ARG TAG=3.12.0-alpine3.17@sha256:fc34b07ec97a4f288bc17083d288374a803dd59800399c76b977016c9fe5b8f2
-FROM python:${TAG} as builder
+FROM python:3.12.0-alpine3.17@sha256:fc34b07ec97a4f288bc17083d288374a803dd59800399c76b977016c9fe5b8f2 AS python_base
+
+FROM python_base AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -11,8 +12,8 @@ RUN apk add --no-cache \
     curl=~8 && \
     # Upgrade packages for be able get latest Checkov
     python3 -m pip install --no-cache-dir --upgrade \
-        pip \
-        setuptools
+        pip~=25.0 \
+        setuptools~=75.8
 
 COPY tools/install/ /install/
 
@@ -100,7 +101,7 @@ RUN . /.env && \
 
 
 
-FROM python:${TAG}
+FROM python_base
 
 RUN apk add --no-cache \
     # pre-commit deps