Harden Dockerfile: explicit base image and pip upgrade

[Copilot]

Reduces container vulnerabilities by pinning the base image version and ensuring pip is upgraded before dependency installation.

Changes

Builder stage:

• Pin base image: python:3.11-slim → python:3.11-slim-bullseye
• Upgrade pip before building wheels: python -m pip install --upgrade pip

Multi-stage build fix:

• Move ARG CUDA_IMAGE_TAG to global scope (before all FROM statements) to resolve Docker parsing error

Diff

# Before
FROM python:3.11-slim AS builder
...
RUN pip wheel --no-cache-dir --wheel-dir /build/wheels -r requirements.txt

ARG CUDA_IMAGE_TAG=12.4.1-runtime-ubuntu22.04
FROM nvidia/cuda:${CUDA_IMAGE_TAG} AS runtime

# After
ARG CUDA_IMAGE_TAG=12.4.1-runtime-ubuntu22.04

FROM python:3.11-slim-bullseye AS builder
...
RUN python -m pip install --upgrade pip && \
    pip wheel --no-cache-dir --wheel-dir /build/wheels -r requirements.txt

FROM nvidia/cuda:${CUDA_IMAGE_TAG} AS runtime

Existing best practices preserved: --no-cache-dir flags, apt list cleanup, non-root user, multi-stage isolation.

Original prompt

Update the repository Dockerfile to reduce container vulnerabilities by using a newer explicit base image and ensuring pip is upgraded and dependencies are installed with no cache. Changes to make:

1. If a Dockerfile exists at the repository root, modify it as follows:

   • Replace the FROM line with: FROM python:3.11-slim-bullseye
   • Add a step to copy only requirements.txt and run:
     RUN python -m pip install --upgrade pip &&
     python -m pip install --no-cache-dir -r requirements.txt
     (Place this before copying the full application to leverage Docker cache.)
   • If the Dockerfile installs apt packages, ensure apt-get update is run and lists are cleaned:
     RUN apt-get update && apt-get install -y --no-install-recommends && rm -rf /var/lib/apt/lists/*
   • Keep existing commands (WORKDIR, COPY, CMD) but reorder COPY so requirements are copied before full source.

2. If there is no Dockerfile in the repo root, create or update Dockerfile.test used by the workflow at .github/workflows/container-scan.yml to include the same lines.

3. Do not modify the CI workflow except to ensure it can build the updated Dockerfile. The workflow reference: .github/workflows/container-scan.yml (ref: 916a901)

Deliverables:

• Create a new branch, add the modified Dockerfile (or Dockerfile.test if Dockerfile missing), commit with a clear message, and open a pull request targeting main with the title above.
• In the pull request description, explain the change (explicit base image + pip upgrade + no-cache install) and request that the CI reruns to produce trivy-report.json for verification.

Notes for the implementer:

• If requirements.txt is missing, add a placeholder minimal requirements.txt with a comment and an instruction to maintainers to pin dependencies; include it in the commit so the Dockerfile build step succeeds in CI.
• Do not change file permissions or unrelated files.

This pull request was created as a result of the following prompt from Copilot chat.

Update the repository Dockerfile to reduce container vulnerabilities by using a newer explicit base image and ensuring pip is upgraded and dependencies are installed with no cache. Changes to make:

1. If a Dockerfile exists at the repository root, modify it as follows:

   • Replace the FROM line with: FROM python:3.11-slim-bullseye
   • Add a step to copy only requirements.txt and run:
     RUN python -m pip install --upgrade pip &&
     python -m pip install --no-cache-dir -r requirements.txt
     (Place this before copying the full application to leverage Docker cache.)
   • If the Dockerfile installs apt packages, ensure apt-get update is run and lists are cleaned:
     RUN apt-get update && apt-get install -y --no-install-recommends && rm -rf /var/lib/apt/lists/*
   • Keep existing commands (WORKDIR, COPY, CMD) but reorder COPY so requirements are copied before full source.

2. If there is no Dockerfile in the repo root, create or update Dockerfile.test used by the workflow at .github/workflows/container-scan.yml to include the same lines.

3. Do not modify the CI workflow except to ensure it can build the updated Dockerfile. The workflow reference: .github/workflows/container-scan.yml (ref: 916a901)

Deliverables:

• Create a new branch, add the modified Dockerfile (or Dockerfile.test if Dockerfile missing), commit with a clear message, and open a pull request targeting main with the title above.
• In the pull request description, explain the change (explicit base image + pip upgrade + no-cache install) and request that the CI reruns to produce trivy-report.json for verification.

Notes for the implementer:

• If requirements.txt is missing, add a placeholder minimal requirements.txt with a comment and an instruction to maintainers to pin dependencies; include it in the commit so the Dockerfile build step succeeds in CI.
• Do not change file permissions or unrelated files.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.