docker: purge zlib1g-dev
zlib1g-dev package is installed by ruby:2.6-slim, our upstream base. The installation of this package pulls in linux-libc-dev by way of transitive deps. None of these packages are required at runtime. Kernel binary packages are problematic because they tend to trigger security warnings in our automated tooling. (It’s a bit silly to be shipping container images with kernel packages, anyway.)
See internal topic 34843 for more context.
cvulnscan was clean on an image built from this commit.
diff --git a/Dockerfile b/Dockerfile index 03cebd6..9c11d0f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ RUN apt-get update \ && gem install git-version-bump \ && bundle config set without development \ && bundle install \ - && apt-get purge -y build-essential git \ + && apt-get purge -y build-essential git zlib1g-dev \ && apt-get --purge -y autoremove \ && rm -rf /var/lib/apt/lists/*
GitHub sha: 8ccc23b6