Replies: 1 comment
-
|
The vulnerability count is a definite red herring (see https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves). I'm guessing one major difference between the image you started with and the images we provide is that ours pre-include the compiler, etc for building additional extensions in dependent images. Your multi-stage approach is a sane one - I'd just caution that you make sure the |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Working on a project I saw that we had a Dockerfile that was building PHP from scratch, starting from a Debian image and building PHP, extensions, etc. I was like ... why is it this way?
After digging a bit, I found out that the official PHP container image has more vulnerabilities and it's way larger than the custom built one (with extensions).
So the natural question is: is there any reason for not using multistage builds when it comes to PHP images?
Right now, I've pivoted from building everything from scratch but I'm starting with the same PHP:8.4.11-fpm as a builder, install everything that's needed in that image and then just copy the PHP binaries, extensions and LDD to see what libraries I need to install to have everything running. The resulting image (with extensions) is just 67.17 MiB large with 81 vulnerabilities (scanned with Trivy (v0.64.1) as opposed to the PHP:8.4.11-fpm image from Dockerhub which is (without extensions) 195.32MiB with 533 vulnerabilities.
Beta Was this translation helpful? Give feedback.
All reactions