Fix/dependencies conflict and dockerfile image versions

.github/workflows/docker-publish.yml

@@ -32,6 +32,7 @@ jobs:
       # This is used to complete the identity challenge
       # with sigstore/fulcio when running outside of PRs.
       id-token: write
+      pull-requests: write
 
     steps:
       - name: Checkout repository
@@ -82,6 +83,36 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          # make sure to set to load, so the image is available locally for Docker Scout
+          load: ${{ github.event_name == 'pull_request' }}
+
+        # Run Docker Scout to check for vulnerabilities and get recommendations.
+        #     For the latest built image, display:
+
+        # - the vulnerabilities (ignoring the base image, displaying
+        #   all vulnerabilities with a fix available)
+        # - the available recommendations
+        # - compare it to the latest image indexed for the same repository (only
+        #   displaying unchanged packages and vulnerabilities that already have a fix)
+
+      - name: Docker Scout
+        id: docker-scout
+        uses: docker/scout-action@v1
+        if: ${{ github.event_name == 'pull_request' }}
+        with:
+          command: quickview,compare,cves,recommendations
+          # the loaded image from the build
+          image: ${{ steps.meta.outputs.tags }}
+          # the latest image from the registry
+          to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+
+          # Docker Hub credentials for Docker Scout
+          dockerhub-user: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN }}
+          # ghcr.io credentials for pulling the latest indexed image for comparison in Docker Scout
+          registry-user: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker
@@ -96,4 +127,4 @@ jobs:
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

docker/Dockerfile

@@ -1,16 +1,17 @@
-FROM python:3.13 AS builder
+FROM python:3.13.5 AS builder
 WORKDIR /app
 COPY --chmod=0110 requirements.txt requirements.txt
 
+RUN pip install --upgrade pip setuptools wheel
+RUN pip install --no-cache-dir -r requirements.txt
+
+FROM builder AS deps
 # install curl with soar for health checks
 RUN wget -qO- "https://raw.githubusercontent.com/pkgforge/soar/main/install.sh" | sh
 RUN export PATH="$PATH:/usr/local/bin:/opt/soar/bin"
+RUN soar install curl
 
-RUN soar install curl  
-
-RUN pip install --no-cache-dir -r requirements.txt
-
-FROM gcr.io/distroless/python3-debian13:debug-nonroot AS runtime
+FROM gcr.io/distroless/python3-debian13:nonroot AS runtime
 WORKDIR /
 
 COPY --from=builder /usr/local/lib/python3.13/site-packages /usr/local/lib/python3.13/site-packages
@@ -22,7 +23,7 @@ COPY --chown=nonroot:nonroot --chmod=0550 ./app ./app
 
 # bring curl to the runtime image for health checks
 # r-- permissions for nonroot user.
-COPY --from=builder --chown=nonroot:nonroot --chmod=0110 /root/.local/share/soar/bin/curl /usr/bin/curl
+COPY --from=deps --chown=nonroot:nonroot --chmod=0110 /root/.local/share/soar/bin/curl /usr/bin/curl
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
     CMD [ "curl", "-f", "http://localhost:8080/" ]

requirements.txt

@@ -1,15 +1,15 @@
-annotated-types==0.6.0
-anyio==4.6.2
-click==8.1.8
 fastapi==0.115.6
-h11==0.14.0
-httptools==0.6.1
-idna==3.10
-pydantic==2.10.3
-pydantic_core==2.27.2
+# annotated-types==0.6.0
+# anyio==4.6.2
+# click==8.1.8
+# h11==0.14.0
+# httptools==0.6.1
+# idna==3.10
+# pydantic==2.10.3
+# pydantic_core==2.27.2
 python-dotenv==1.0.1
-starlette==0.41.0
-typing_extensions==4.12.2
+# starlette==0.41.0
+# typing_extensions==4.12.2
 uvicorn==0.32.1
 uvloop==0.21.0
-watchfiles==0.22.0
+# watchfiles==0.22.0