fix(docker): Docker files update instructions are used alone

[PatStiles]

Overview:

The Dockerfiles used to build the project images update the package manager cache without installing any packages in the same layer and delete the apt-get lists after.

Mitigation:

Update the packages and installing the required packages in the same layer to reduce the image size.

For example with the operator/docker/operator.Dockerfile

FROM golang:1.22.4

# Get Ubuntu packages
RUN apt-get update && apt-get install --no-install-recommends -y \
    build-essential \
    curl \
    openssl \
    libssl-dev && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Get Rust
RUN curl https://sh.rustup.rs -sSf | bash -s -- -y

# Add cargo to path
ENV PATH="/root/.cargo/bin:${PATH}"

WORKDIR /usr/src/app

# Copy the Makefile and the operator (for the FFI)
COPY Makefile /usr/src/app
COPY operator /usr/src/app/operator

# Build the FFI
RUN make build_all_ffi_linux

# Copy dependencies
COPY go.mod go.sum ./
COPY metrics /usr/src/app/metrics
COPY contracts/script/output /usr/src/app/contracts/script/output
COPY contracts/bindings /usr/src/app/contracts/bindings
COPY core /usr/src/app/core
COPY common /usr/src/app/common

# Download dependencies
RUN go mod download && go mod tidy && go mod verify

# Build the operator
RUN go build -v -o /usr/local/bin/operator /usr/src/app/operator/cmd/main.go

ENTRYPOINT [ "/usr/local/bin/operator", "start", "--config", "/usr/src/config/operator.yaml"]

References

• Checkov reference
• Hadolint reference

[Oppen]

Given this is clearly meant to optimize image size, it's worth mentioning that we could also use a builder image separate from the runtime image. The latter could probably be a scratch one.