fix(security): container autofix for pegaprox

[mkellermann97]

No description provided.

[qodo-code-review]

Review Summary by Qodo

Enhance Dockerfile security with image pinning and upgrades

🐞 Bug fix ✨ Enhancement

Walkthroughs

Description

• Pin base Docker image to specific SHA256 digest for reproducibility
• Add apt-get upgrade step to patch system dependencies
• Improve container security by ensuring latest package versions

Diagram

flowchart LR
  A["Dockerfile base image"] -- "pin to SHA256 digest" --> B["Reproducible builds"]
  C["apt-get install"] -- "add upgrade step" --> D["Latest patched packages"]
  B --> E["Enhanced security"]
  D --> E

Loading

File Changes

1. Dockerfile Security +2/-2

Pin base image and upgrade system packages

• Pin python:3.12-slim base image to specific SHA256 digest for reproducible and secure builds
• Add apt-get upgrade -y command to ensure all system packages are updated to latest versions
• Maintains existing dependency installation and cleanup steps

Dockerfile

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0)

1. Non-reproducible image builds 🐞 Bug ☼ Reliability

Description

The Docker build now runs apt-get upgrade -y, so rebuilding the same git SHA later can produce a
different image depending on whatever Debian packages are current at build time. This undermines the
intended determinism/provenance benefit of pinning the base image by digest and makes published
images harder to debug/audit.

Code

Dockerfile[11]

Evidence

The Dockerfile now upgrades all preinstalled OS packages at build time, and the CI workflow
builds/pushes images on every main push/tag, so rebuild output must be stable for a given commit;
apt-get upgrade breaks that determinism.

Dockerfile[1-14]
.github/workflows/docker.yml[6-55]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`apt-get upgrade -y` during `docker build` makes the resulting image depend on the state of Debian repositories at build time, so the same source commit can yield different images.

## Issue Context
The repo publishes images from CI; reproducible rebuilds are important for provenance and debugging.

## Fix Focus Areas
- Dockerfile[11-14]

## Suggested fix
- Remove `apt-get upgrade -y` from the build step.
- Keep `apt-get update && apt-get install ...` for required packages.
- If the goal is security patching, prefer updating the pinned base image digest regularly (and/or pin explicit Debian package versions instead of upgrading everything implicitly).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. APT cache not cleaned 🐞 Bug ➹ Performance

Description

After adding apt-get upgrade -y, the Dockerfile still only removes /var/lib/apt/lists/*, leaving
downloaded .deb archives in APT cache and increasing final image size. This slows CI builds and
image pulls and increases registry/storage footprint.

Code

Dockerfile[R11-14]

Evidence

The Dockerfile’s cleanup only removes APT lists, not archives; elsewhere in the repo, an
appliance-creation script explicitly runs apt-get clean plus list removal, demonstrating the
intended cleanup approach.

Dockerfile[10-14]
misc/proxmox-lxc-appliance-creator.sh[91-102]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The build step downloads additional packages (especially with `apt-get upgrade`) but does not clean the APT archives cache, which bloats the final image.

## Issue Context
The Dockerfile currently removes package lists only (`/var/lib/apt/lists/*`), but `.deb` archives typically remain under `/var/cache/apt/archives` unless cleaned.

## Fix Focus Areas
- Dockerfile[11-14]

## Suggested fix
In the same RUN layer, after installs/upgrades, add cleanup such as:
- `apt-get clean`
- optionally `rm -rf /var/cache/apt/archives/*`
- keep `rm -rf /var/lib/apt/lists/*`
- optionally `apt-get autoremove -y` (if safe for your image)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[qodo-code-review]

1. Non-reproducible image builds 🐞 Bug ☼ Reliability

The Docker build now runs apt-get upgrade -y, so rebuilding the same git SHA later can produce a
different image depending on whatever Debian packages are current at build time. This undermines the
intended determinism/provenance benefit of pinning the base image by digest and makes published
images harder to debug/audit.

Agent Prompt

## Issue description
`apt-get upgrade -y` during `docker build` makes the resulting image depend on the state of Debian repositories at build time, so the same source commit can yield different images.

## Issue Context
The repo publishes images from CI; reproducible rebuilds are important for provenance and debugging.

## Fix Focus Areas
- Dockerfile[11-14]

## Suggested fix
- Remove `apt-get upgrade -y` from the build step.
- Keep `apt-get update && apt-get install ...` for required packages.
- If the goal is security patching, prefer updating the pinned base image digest regularly (and/or pin explicit Debian package versions instead of upgrading everything implicitly).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools