Skip to content

Commit

Permalink
remove platform build arg, pin python deps, update repo ref to commit…
Browse files Browse the repository at this point in the history 
… ref
  • Loading branch information
@mikealfare
mikealfare committed Apr 12, 2024
1 parent 2335ddc commit d11a563
Showing 1 changed file with 4 additions and 5 deletions.
9 changes: 4 additions & 5 deletions docker/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
# this image gets published to GHCR for production use
ARG build_for=linux/amd64
ARG py_version=3.10.7

FROM --platform=$build_for python:$py_version-slim-bullseye as base
FROM python:$py_version-slim-bullseye as base

RUN apt-get update \
&& apt-get dist-upgrade -y \
Expand All @@ -23,16 +22,16 @@ RUN apt-get update \
ENV PYTHONIOENCODING=utf-8
ENV LANG=C.UTF-8

RUN python -m pip install --upgrade pip setuptools wheel --no-cache-dir
RUN python -m pip install --upgrade "pip==24.0" "setuptools==69.2.0" "wheel==0.43.0" --no-cache-dir


FROM base as dbt-snowflake

Check failure on line 28 in docker/Dockerfile

View check run for this annotation

Wiz Inc. (266a8a9c32) / Wiz IaC Scanner

Missing User Instruction 

Rule ID: e54afcf9-dc71-484a-8967-d930e3044062
Severity: High
Resource: FROM={{base as dbt-snowflake}}

A user should be specified in the dockerfile, otherwise the image will run as root
Raw output 
Expected: The 'Dockerfile' should contain the 'USER' instruction
Found: The 'Dockerfile' does not contain any 'USER' instruction

ARG dbt_snowflake_ref=dbt-snowflake@main
ARG commit_ref=main

HEALTHCHECK CMD dbt --version || exit 1

WORKDIR /usr/app/dbt/
ENTRYPOINT ["dbt"]

RUN python -m pip install --no-cache-dir "dbt-snowflake @ git+https://github.com/dbt-labs/${dbt_snowflake_ref}"
RUN python -m pip install --no-cache-dir "dbt-snowflake @ git+https://github.com/dbt-labs/dbt-snowflake@${commit_ref}"

Check warning on line 37 in docker/Dockerfile

View check run for this annotation

Wiz Inc. (266a8a9c32) / Wiz IaC Scanner

Unpinned Package Version in Pip Install 

Rule ID: 1f0d05d7-8caf-4f04-bc60-332d472de5a9
Severity: Medium
Resource: FROM={{base as dbt-snowflake}}.{{RUN python -m pip install --no-cache-dir "dbt-snowflake @ git+https://github.com/dbt-labs/dbt-snowflake@${commit_ref}"}}

Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Raw output 
Expected: RUN instruction with 'pip/pip3 install <package>' should use package pinning form 'pip/pip3 install <package>=<version>'
Found: RUN instruction python -m pip install --no-cache-dir "dbt-snowflake @ git+https://github.com/dbt-labs/dbt-snowflake@main" does not use package pinning form

0 comments on commit d11a563

Please sign in to comment.