Packages in the Semgrep docker image

Packages

In addition to the semgrep binary, the semgrep/semgrep:latest docker image contains the following packages:

• bash
• jq
• curl
• Python 3.11 (3.11-alpine base image)

The Python 3.11 docker includes additional packages (for example, ncurses) that can change without notice. To review them, see the following links:

• Dockerfile for Python 3.11-alpine, where you can see the list of packages added to the image.
• Python docker hub page

caution

• Do not rely on the presence of packages from the Python 3.11 docker image in your CI workflows. They are not guaranteed to be included in the future and are not managed by Semgrep.
• jq and curl may be removed in future Semgrep releases. You can install them directly in the docker image. For example:

  job:
    container: semgrep/semgrep:develop
    runs-on: ubuntu-latest-16-core
    steps:
      - uses: actions/checkout@v3
      - name: Install dependencies
        run: apk add bash jq curl
      - run: semgrep scan --json ... | jq ...

Previous incidents

• Semgrep v.1.66.0 removed bash, jq, and curl to reduce the attack surface of the Semgrep docker image. They were subsequently re-added for future Semgrep releases.