docker base image changes

[alanjino]

No description provided.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	4 findings
Authn/Authz Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request focus on updating the base images used in the Docker files for the client, agent, and migration components of the k8smetrics application. The key changes include:

1. Secure Base Images: The project is moving to use more secure and optimized base images, such as cgr.dev/chainguard/go:latest and cgr.dev/chainguard/static:latest, which are designed with security in mind and likely provide a more secure foundation for the application.

2. Reduced Attack Surface: The use of minimal, static base images like cgr.dev/chainguard/static:latest helps to reduce the attack surface of the containers by containing only the necessary components and dependencies required to run the application.

3. Immutability: The cgr.dev/chainguard/static:latest image is designed to be immutable, which helps to ensure the integrity of the runtime environment and reduces the risk of runtime vulnerabilities.

4. Non-Root Execution: The containers are being set to run as a non-root user (UID and GID of 65532), which reduces the potential impact of any security vulnerabilities that may be present in the application.

5. Dependency Management: The application is using the go mod download command to download its dependencies, and it's important to ensure that these dependencies are also secure and free from known vulnerabilities.

6. Clickhouse Dependency: The application has a dependency on a Clickhouse database, and the security of this dependency should also be considered and evaluated.

Overall, the changes in this pull request appear to be focused on improving the security posture of the k8smetrics application by using more secure base images, reducing the attack surface, and implementing best practices such as non-root execution. These changes are a positive step towards enhancing the overall security of the application.

Files Changed:

1. dockerfiles/client/Dockerfile: The base images have been updated to use more secure and optimized images, such as cgr.dev/chainguard/go:latest and cgr.dev/chainguard/static:latest.
2. dockerfiles/agent/git/Dockerfile: The base images have been updated, and the container is set to run as a non-root user (UID and GID of 65532).
3. dockerfiles/agent/container/Dockerfile: The base images have been updated, and the container is set to run as a non-root user (UID and GID of 65532).
4. dockerfiles/migration/Dockerfile: The base images have been updated, and the permissions of the /sql directory have been set to 777. The container is set to run as a non-root user (UID and GID of 65532).

Powered by DryRun Security