Remove linux-libc-dev to avoid false-positives.

Container scans generate hundreds of findings on linux-libc-dev, even though the package only contains headers. These headers aren't needed anyway, so we remove them to eliminate the false-positives.
WarnerMedia · Nov 4, 2024 · bc2020c · bc2020c
1 parent aa34df7
commit bc2020c
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/backend/Dockerfiles/Dockerfile.ruby b/backend/Dockerfiles/Dockerfile.ruby
@@ -10,13 +10,15 @@ ARG BUNDLER_VER=0.9.2
 # Run all additional config in a single RUN to reduce the layers:
 # - Install brakeman and bundler-audit
 # - Install git as a dependency of bundler-audit.
-# - Remove bundler-audit rspec Gemfiles to avoid false-positives in scans.
+# - Remove unused packages and bundler-audit rspec Gemfiles to avoid
+#   false-positives in scans.
 # hadolint ignore=DL3008
 RUN apt-get update && \
     apt-get upgrade -y && \
     apt-get install -y --no-install-recommends git && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* && \
     gem install brakeman --version ${BRAKEMAN_VER} && \
     gem install bundler-audit --version ${BUNDLER_VER} && \
-    rm -rf /usr/local/bundle/gems/bundler-audit-${BUNDLER_VER}/spec/
+    rm -rf /usr/local/bundle/gems/bundler-audit-${BUNDLER_VER}/spec/ && \
+    apt-get remove -y linux-libc-dev && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*