Packages in the Semgrep docker image
Packages
In addition to the semgrep binary, the semgrep/semgrep:latest docker image contains the following packages:
bashjqcurl- Python 3.11 (
3.11-alpinebase image)
The Python 3.11 docker includes additional packages (for example, ncurses) that can change without notice. To review them, see the following links:
- Dockerfile for Python 3.11-alpine, where you can see the list of packages added to the image.
- Python docker hub page
caution
- Do not rely on the presence of packages from the Python 3.11 docker image in your CI workflows. They are not guaranteed to be included in the future and are not managed by Semgrep.
jqandcurlmay be removed in future Semgrep releases. You can install them directly in the docker image. For example:
job:
container: semgrep/semgrep:develop
runs-on: ubuntu-latest-16-core
steps:
- uses: actions/checkout@v3
- name: Install dependencies
run: apk add bash jq curl
- run: semgrep scan --json ... | jq ...
Previous incidents
- Semgrep v.1.66.0 removed
bash,jq, andcurlto reduce the attack surface of the Semgrep docker image. They were subsequently re-added for future Semgrep releases.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.