-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
scratch
for checkout
, frontend
, productcatalog
and shipping
#2512
Conversation
scratch
for checkout
, productcatalog
and shipping
scratch
for checkout
, frontend
, productcatalog
and shipping
Ready for review, thanks! |
@@ -13,8 +13,6 @@ | |||
# limitations under the License. | |||
|
|||
FROM golang:1.22.2-alpine@sha256:cdc86d9f363e8786845bea2040312b4efa321b828acdeb26f393faa864d887b0 as builder | |||
RUN apk add --no-cache ca-certificates git |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: Do you know why we can remove ca-certificates
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(It's not super clear to me why ca-certificates
is needed in the first place. I assume it's to enable HTTPS (secure) communication during runtime.)
Original commit: 92eb76c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question. This is for the build container (not the final). If I do syft golang:1.22.2-alpine
, I see that ca-certificates
is already in there apparently:
NAME VERSION TYPE
alpine-baselayout 3.4.3-r2 apk
alpine-baselayout-data 3.4.3-r2 apk
alpine-keys 2.4-r1 apk
apk-tools 2.14.0-r5 apk
busybox 1.36.1-r15 apk
busybox-binsh 1.36.1-r15 apk
ca-certificates 20230506-r0 apk
ca-certificates-bundle 20230506-r0 apk
cmd/addr2line (devel) go-module
cmd/asm (devel) go-module
cmd/buildid (devel) go-module
cmd/cgo (devel) go-module
cmd/compile (devel) go-module
cmd/covdata (devel) go-module
cmd/cover (devel) go-module
cmd/doc (devel) go-module
cmd/fix (devel) go-module
cmd/go (devel) go-module
cmd/gofmt (devel) go-module
cmd/link (devel) go-module
cmd/nm (devel) go-module
cmd/objdump (devel) go-module
cmd/pack (devel) go-module
cmd/pprof (devel) go-module
cmd/test2json (devel) go-module
cmd/trace (devel) go-module
cmd/vet (devel) go-module
d3-pprof 2.0.0 npm
go 1.22.2 binary
libc-utils 0.7.2-r5 apk
libcrypto3 3.1.4-r5 apk
libssl3 3.1.4-r5 apk
musl 1.2.4_git20230717-r4 apk
musl-utils 1.2.4_git20230717-r4 apk
scanelf 1.3.7-r2 apk
ssl_client 1.36.1-r15 apk
stdlib go1.22.2 go-module (+18 duplicates)
zlib 1.3.1-r0 apk
Not sure why it was added in there at the first place though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks so much for this, @mathieu-benoit! I highly appreciate the elaborate and clear pull-request description + links.
Just had a question before merging. :)
scratch
for the final image forcheckout
,frontend
,productcatalog
andshipping
.Objectives for the Golang apps:
busybox
)alpine
previouslyAddressing #693 for the Golang apps.
Associated resources for the inspiration and for the guidance:
The size is reduced:
For
checkoutservice
it's 8MB saved on disk:For
frontend
it's 15.7 MB saved on disk:The number of packages is reduced:
With a tool like
syft
we could see that all the unnecessary/unsecured packages have been removed.For
checkoutservice
, from 57 packages we are now at 40 packages, here are the ones removed:For
frontend
, from 82 packages we are now at 48 packages, here are the ones removed:On these now missing packages, that's avoiding/removing any CVEs debt/fatigue on them.
Important notes: removing
busybox
/wget
is a great improvement on a security standpoint, nobody can dodocker exec
orkubectl exec
on them.The number of CVEs is reduced:
With a tool like
trivy
we could see that thealpine
based one has currently 2 CVEs:On the other end, the new one doesn't have any CVEs.
Also, based on the GKE Security Posture feature, for
frontend
, this will fix these 25 CVEs:Tests:
Successfully tested:
docker compose
:scratch
for golang apps Humanitec-DemoOrg/onlineboutique-demo#17scratch
for golang apps Humanitec-DemoOrg/onlineboutique-demo#17