From dc177fe29ed250fbb98702248c7de232bdb75f58 Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Fri, 21 Apr 2023 16:27:02 +0300 Subject: [PATCH] fix: Updates all dependencies used in Dockerfile and fix Docker image (#507) * Docker doesn't provide possibilities for avoiding trash There is no possibility to exclude part of the "pre-installed" files from COPY steps like https://github.com/moby/buildkit/issues/2853 And copy-paste mostly all `site-packages` without it is not worth it --- .github/.container-structure-test-config.yaml | 2 +- .github/.dive-ci.yaml | 6 +++--- Dockerfile | 16 +++++++++------- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/.github/.container-structure-test-config.yaml b/.github/.container-structure-test-config.yaml index c485db00f..c463a7a1d 100644 --- a/.github/.container-structure-test-config.yaml +++ b/.github/.container-structure-test-config.yaml @@ -43,7 +43,7 @@ commandTests: - name: "tflint" command: "tflint" args: [ "--version" ] - expectedOutput: [ "TFLint version ([0-9]+\\.){2}[0-9]+\\n$" ] + expectedOutput: [ "TFLint version ([0-9]+\\.){2}[0-9]+\\n" ] - name: "tfsec" command: "tfsec" diff --git a/.github/.dive-ci.yaml b/.github/.dive-ci.yaml index 62373c1bc..e3cf64a7b 100644 --- a/.github/.dive-ci.yaml +++ b/.github/.dive-ci.yaml @@ -1,13 +1,13 @@ rules: # If the efficiency is measured below X%, mark as failed. # Expressed as a ratio between 0-1. - lowestEfficiency: 0.99 + lowestEfficiency: 0.987 # If the amount of wasted space is at least X or larger than X, mark as failed. # Expressed in B, KB, MB, and GB. - highestWastedBytes: 12MB + highestWastedBytes: 21MB # If the amount of wasted space makes up for X% or more of the image, mark as failed. # Note: the base image layer is NOT included in the total image size. # Expressed as a ratio between 0-1; fails if the threshold is met or crossed. - highestUserWastedPercent: 0.02 + highestUserWastedPercent: 0.025 diff --git a/Dockerfile b/Dockerfile index a1735b915..547389628 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,15 @@ -ARG TAG=3.10.1-alpine3.15@sha256:dce56d40d885d2c8847aa2a278a29d50450c8e3d10f9d7ffeb2f38dcc1eb0ea4 +ARG TAG=3.11.1-alpine3.17 FROM python:${TAG} as builder WORKDIR /bin_dir RUN apk add --no-cache \ # Builder deps - curl=~7 && \ - # Upgrade pip for be able get latest Checkov - python3 -m pip install --no-cache-dir --upgrade pip + curl=~8 && \ + # Upgrade packages for be able get latest Checkov + python3 -m pip install --no-cache-dir --upgrade \ + pip \ + setuptools ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest} ARG TERRAFORM_VERSION=${TERRAFORM_VERSION:-latest} @@ -60,7 +62,7 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ - apk add --no-cache gcc=~10 libffi-dev=~3 musl-dev=~1; \ + apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ apk del gcc libffi-dev musl-dev \ @@ -176,7 +178,7 @@ RUN apk add --no-cache \ bash=~5 \ # pre-commit-hooks deps: https://github.com/pre-commit/pre-commit-hooks musl-dev=~1 \ - gcc=~10 \ + gcc=~12 \ # entrypoint wrapper deps su-exec=~0.2 @@ -189,7 +191,7 @@ COPY --from=builder \ /usr/local/bin/checkov* \ /usr/bin/ # Copy pre-commit packages -COPY --from=builder /usr/local/lib/python3.10/site-packages/ /usr/local/lib/python3.10/site-packages/ +COPY --from=builder /usr/local/lib/python3.11/site-packages/ /usr/local/lib/python3.11/site-packages/ # Copy terrascan policies COPY --from=builder /root/ /root/