Skip to content

fix: simplify Dockerfile and reduce Trivy CVE alerts#70

Merged
BKDDFS merged 2 commits intomainfrom
fix/security-alerts
Jan 31, 2026
Merged

fix: simplify Dockerfile and reduce Trivy CVE alerts#70
BKDDFS merged 2 commits intomainfrom
fix/security-alerts

Conversation

@BKDDFS
Copy link
Owner

@BKDDFS BKDDFS commented Jan 31, 2026
edited
Loading

Summary

  • Remove unnecessary system ffmpeg installation from Dockerfile
  • OpenCV pip package bundles its own ffmpeg libraries internally, so system ffmpeg is not needed
  • Eliminates all ffmpeg-related Trivy CVE alerts (~100+) from Docker image
  • Significantly smaller and simpler Dockerfile

Changes

  • Remove all ffmpeg-related apt packages (ffmpeg, build-essential, yasm, libx264-dev, libx265-dev, libavcodec-dev, libavformat-dev, libavdevice-dev, libavutil-dev, libswscale-dev, libavfilter-dev, pkg-config)
  • Keep only minimal runtime deps: libgl1, libglib2.0-0 (required by OpenCV)

Benefits

  • Fewer CVE alerts in security scans
  • Smaller Docker image
  • Faster builds
  • Simpler maintenance

Test plan

  • Docker build succeeds locally
  • OpenCV imports correctly (verified ldd dependencies)
  • CI passes (pre-commit, test, test-docker)
  • Trivy scan shows fewer CVEs

@BKDDFS
fix: use static ffmpeg 8.0 to reduce Trivy CVE alerts
8d82ebd 
Replace apt-installed ffmpeg with static build from BtbN/FFmpeg-Builds:
- Upgrades ffmpeg from 5.1 (Debian) to 8.0.1 (latest stable)
- Eliminates CVEs from ffmpeg, libx264, libx265, libav* apt packages
- Supports both amd64 and arm64 architectures via TARGETARCH
- Removes unnecessary build dependencies (build-essential, yasm, etc.)
@BKDDFS BKDDFS force-pushed the fix/security-alerts branch from e9a68fc to 8d82ebd Compare January 31, 2026 11:51
@BKDDFS
fix: remove unnecessary system ffmpeg to reduce CVE alerts
0588637 
OpenCV pip package bundles its own ffmpeg libraries internally,
so system ffmpeg installation is not needed. This eliminates
all ffmpeg-related Trivy CVE alerts from the Docker image.

Changes:
- Remove static ffmpeg download from Dockerfile
- Keep only minimal runtime deps (libgl1, libglib2.0-0)
- Significantly smaller and simpler Docker image
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 31, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@BKDDFS BKDDFS changed the title fix: use static ffmpeg 8.0 to reduce Trivy CVE alerts fix: simplify Dockerfile and reduce Trivy CVE alerts Jan 31, 2026
@BKDDFS BKDDFS merged commit 3215e7d into main Jan 31, 2026
11 checks passed
@github-actions github-actions bot mentioned this pull request Jan 31, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BKDDFS