fix: Updates all dependencies used in Dockerfile and fix Docker image (…

…#507) * Docker doesn't provide possibilities for avoiding trash There is no possibility to exclude part of the "pre-installed" files from COPY steps like moby/buildkit#2853 And copy-paste mostly all `site-packages` without it is not worth it
antonbabenko · Apr 21, 2023 · dc177fe · dc177fe
1 parent 7d501b1
commit dc177fe
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 11 deletions.
diff --git a/.github/.container-structure-test-config.yaml b/.github/.container-structure-test-config.yaml
@@ -43,7 +43,7 @@ commandTests:
   - name: "tflint"
     command: "tflint"
     args: [ "--version" ]
-    expectedOutput: [ "TFLint version ([0-9]+\\.){2}[0-9]+\\n$" ]
+    expectedOutput: [ "TFLint version ([0-9]+\\.){2}[0-9]+\\n" ]
 
   - name: "tfsec"
     command: "tfsec"

diff --git a/.github/.dive-ci.yaml b/.github/.dive-ci.yaml
@@ -1,13 +1,13 @@
 rules:
   # If the efficiency is measured below X%, mark as failed.
   # Expressed as a ratio between 0-1.
-  lowestEfficiency: 0.99
+  lowestEfficiency: 0.987
 
   # If the amount of wasted space is at least X or larger than X, mark as failed.
   # Expressed in B, KB, MB, and GB.
-  highestWastedBytes: 12MB
+  highestWastedBytes: 21MB
 
   # If the amount of wasted space makes up for X% or more of the image, mark as failed.
   # Note: the base image layer is NOT included in the total image size.
   # Expressed as a ratio between 0-1; fails if the threshold is met or crossed.
-  highestUserWastedPercent: 0.02
+  highestUserWastedPercent: 0.025
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,15 @@
-ARG TAG=3.10.1-alpine3.15@sha256:dce56d40d885d2c8847aa2a278a29d50450c8e3d10f9d7ffeb2f38dcc1eb0ea4
+ARG TAG=3.11.1-alpine3.17
 FROM python:${TAG} as builder
 
 WORKDIR /bin_dir
 
 RUN apk add --no-cache \
     # Builder deps
-    curl=~7 && \
-    # Upgrade pip for be able get latest Checkov
-    python3 -m pip install --no-cache-dir --upgrade pip
+    curl=~8 && \
+    # Upgrade packages for be able get latest Checkov
+    python3 -m pip install --no-cache-dir --upgrade \
+        pip \
+        setuptools
 
 ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest}
 ARG TERRAFORM_VERSION=${TERRAFORM_VERSION:-latest}
@@ -60,7 +62,7 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \
 RUN . /.env && \
     if [ "$CHECKOV_VERSION" != "false" ]; then \
     ( \
-        apk add --no-cache gcc=~10 libffi-dev=~3 musl-dev=~1; \
+        apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \
         [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \
         || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \
         apk del gcc libffi-dev musl-dev \
@@ -176,7 +178,7 @@ RUN apk add --no-cache \
     bash=~5 \
     # pre-commit-hooks deps: https://github.com/pre-commit/pre-commit-hooks
     musl-dev=~1 \
-    gcc=~10 \
+    gcc=~12 \
     # entrypoint wrapper deps
     su-exec=~0.2
 
@@ -189,7 +191,7 @@ COPY --from=builder \
     /usr/local/bin/checkov* \
         /usr/bin/
 # Copy pre-commit packages
-COPY --from=builder /usr/local/lib/python3.10/site-packages/ /usr/local/lib/python3.10/site-packages/
+COPY --from=builder /usr/local/lib/python3.11/site-packages/ /usr/local/lib/python3.11/site-packages/
 # Copy terrascan policies
 COPY --from=builder /root/ /root/