use distroless base image

[matthyx]

Overview

[codiumai-pr-agent]

PR Analysis

• 🎯 Main theme: Change the base image of the Dockerfile to distroless
• 📌 Type of PR: Enhancement
• 🧪 Relevant tests added: No
• ✨ Focused PR: Yes, the PR is focused as it only changes the Dockerfile to use a distroless base image
• 🔒 Security concerns: No, the PR does not introduce any obvious security issues. However, running the application as root in the Docker container could potentially pose a security risk if the container is compromised.

PR Feedback

• General suggestions: The PR is well-structured and the changes are clear. However, it would be beneficial to include a brief explanation in the PR description about why the base image is being changed to distroless. This would provide context to reviewers and future developers. Additionally, it would be helpful to include tests that verify the application still functions as expected with the new base image.

• 🤖 Code feedback:

  • relevant file: build/Dockerfile
    suggestion: Consider using a specific version of the distroless image instead of 'latest'. Using 'latest' can lead to non-deterministic builds, as the 'latest' tag can point to different images over time. It's a best practice to use a specific version to ensure the build is repeatable. [important]
    relevant line: FROM gcr.io/distroless/static-debian11:latest

  • relevant file: build/Dockerfile
    suggestion: It's a good practice to run the application as a non-root user for security reasons. Consider creating a non-root user in the Dockerfile and use the USER directive to switch to that user. [important]
    relevant line: WORKDIR /root

  • relevant file: build/Dockerfile
    suggestion: The ARG 'image_version' is used but not defined in the Dockerfile. It's a good practice to provide a default value for ARGs in case they're not provided at build time. [medium]
    relevant line: ARG image_version

How to use

To invoke the PR-Agent, add a comment using one of the following commands:
/review [-i]: Request a review of your Pull Request. For an incremental review, which only considers changes since the last review, include the '-i' option.
/describe: Modify the PR title and description based on the contents of the PR.
/improve: Suggest improvements to the code in the PR.
/ask <QUESTION>: Pose a question about the PR.

To edit any configuration parameter from 'configuration.toml', add --config_path=new_value
For example: /review --pr_reviewer.extra_instructions="focus on the file: ..."
To list the possible configuration parameters, use the /config command.

[github-actions]

Summary:

• License scan: success
• Credentials scan: success
• Vulnerabilities scan: success
• Unit test: success
• Go linting: success

[github-actions]

Summary:

• License scan: success
• Credentials scan: success
• Vulnerabilities scan: success
• Unit test: success
• Go linting: success

[github-actions]

Summary:

• License scan: success
• Credentials scan: success
• Vulnerabilities scan: success
• Unit test: success
• Go linting: success

[matthyx]

we don't fail more tests than before... so I guess it's fine

[Bezbran]

Why not from scratch?
We can always copy busybox into the running container for debugging.
And we can create yet another image for each build with busybox inside.

[matthyx]

Why not from scratch? We can always copy busybox into the running container for debugging. And we can create yet another image for each build with busybox inside.

distroless is scratch + passwd + ssl certificates

you cannot copy things inside a container with kubectl cp without a shell and tar

[alegrey91]

Thanks @matthyx for this great improvement!
Please, correct me if I'm wrong, but we should adjust the pipeline according to the new ARG items provided (TARGETOS, TARGETARCH, image_version), right?

[alegrey91]

shouldn't we provide TARGETOS and TARGETARCH in the pipeline?

[matthyx]

Nope, this is already provided by builds during the Docker build

[alegrey91]

ok, great, what about the image_version instead?

[alegrey91]

same as above

[alegrey91]

LGTM

[dwertent]

TODO: Open a PR in the helm-chart

[matthyx]

TODO: Open a PR in the helm-chart

kubescape/helm-charts#259