Question / Recommendations #1614
Description
Working on a project I saw that we had a Dockerfile that was building PHP from scratch, starting from a Debian image and building PHP, extensions, etc. I was like ... why is it this way?
After digging a bit, I found out that the official PHP container image has more vulnerabilities and it's way larger than the custom built one (with extensions).
So the natural question is: is there any reason for not using multistage builds when it comes to PHP images?
Right now, I've pivoted from building everything from scratch but I'm starting with the same PHP:8.4.11-fpm as a builder, install everything that's needed in that image and then just copy the PHP binaries, extensions and LDD to see what libraries I need to install to have everything running. The resulting image (with extensions) is just 67.17 MiB large with 81 vulnerabilities (scanned with Trivy (v0.64.1) as opposed to the PHP:8.4.11-fpm image from Dockerhub which is (without extensions) 195.32MiB with 533 vulnerabilities.