We pull-thru cache the

dagster/dagster-cloud-agent:1.2.4

agent in our private ECR. Amazon Inspector is flagging a bunch of vulnerabilities. How often does dagster rebuild tagged images on top of the latest base image to incorporate security patches?

not a fan personally of ecr scans. can't flag things as "safe" and can't ignore all but critical CVEs

we track them in a spreadsheet and mark as safe after investigating

yeeah

we're in healthcare so have a bunch of HITRUST rules we have to follow even if they aren't always useful/helpful

same lol

The base image is just python3.8:slim and it’s rebuilt on each release, so I’d expect any CVEs to be quite recent - I can double check the scan on our side but is that different than what you’re seeing?

we were expecting to be able to depend on a specific tag like 1.2.4 and continue to receive base image updates. But it sounds like we will need to upgrade to a later tag - which I assume also changes the agent code itself to get security fixes? (which is more risky I guess)

we don't currently go back and rebuild agent image tags from previous releases. This is all that the agent Dockerfile needs fwiw, so rebuilding it yourself at 1.2.4 would be as simple as:

FROM python:3.8-slim

RUN pip install dagster-cloud[ecs]==1.2.4

CMD ["/bin/bash", "-c", "dagster-cloud agent run"]

thanks,we may do that then