hardening docker image

remove the python packages setuptools, wheel and pip from
final image to reduce the attack surface

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- remove python packages setuptools, wheel, pip from final image to reduce the attack surface
+ 
 ## [0.5.3] - 2023-11-12
 
 - remove apk packet manager from the final image

app/Dockerfile

@@ -7,20 +7,18 @@ ARG GID=1000
 FROM python:3.12-alpine AS base
 USER root
 
-RUN apk update && \
+RUN apk upgrade --no-cache && \
-    apk upgrade
+    apk add --no-cache su-exec	
-RUN apk add --no-cache su-exec	
 
 #
 # second stage for building wheels packages
 FROM base as builder
 
-RUN apk add --no-cache build-base && \
-    python -m pip install --no-cache-dir -U pip wheel
-
 # copy the dependencies file to the root dir and install requirements
 COPY ./requirements.txt /root/
-RUN python -OO -m pip wheel --no-cache-dir --wheel-dir=/root/wheels -r /root/requirements.txt
+RUN apk add --no-cache build-base && \
+    python -m pip install --no-cache-dir -U pip wheel && \
+    python -OO -m pip wheel --no-cache-dir --wheel-dir=/root/wheels -r /root/requirements.txt
 
 
 #
@@ -47,12 +45,13 @@ ENV HOME=/home/$SERVICE_NAME
 
 VOLUME ["/home/$SERVICE_NAME/log", "/home/$SERVICE_NAME/config"]
 
-# install the requirements from the wheels packages from the builder stage
+# install the requirements from the wheels packages from the builder stage 
+# and unistall python packages and alpine package manger to reduce attack surface
 COPY --from=builder /root/wheels /root/wheels
 RUN python -m pip install --no-cache --no-index /root/wheels/* && \
-    rm -rf /root/wheels
+    rm -rf /root/wheels && \
-
+    python -m pip uninstall --yes setuptools wheel pip && \
-RUN apk --purge del apk-tools
+    apk --purge del apk-tools
 
 # copy the content of the local src and config directory to the working directory
 COPY --chmod=0700 entrypoint.sh /root/entrypoint.sh