Feb 13, 2020 - Nicole Schwartz    

12.9 Alpine Linux image deprecation for Python Dependency Scans

We're excited to announce that we will be making Debian slim the base image for our Python Dependency Scans.

We evaluated changing our base image from Alpine Linux in issue #13694 in order to enhance our Python support, specifically enabling manylinux2010. We have decided to switch to Debian slim in order to make the scanner support more Python projects. You can follow the work in progress in issue #196833.

When will this happen?

Starting with the release of GitLab 12.9 on March 22, 2020 you will no longer get an Alpine-based image for Python dependency scanning. This will impact you even if you are running an older release.

What does this mean for you?

Because the base image will no longer be Alpine, you may need to make modifications if you use Alpine-specific commands such as apk add xyz:

  1. Right before the scan (only if docker-in-docker is disabled) or
  2. When building a variant of the official Docker image

Actions you need to take if you are using Alpine-specific commands

  • If you regularly build your own Docker image on top of gemnasium-python:2, and rely on CI variables like DS_ANALYZER_IMAGES, this will break the next time you try to build the image on top of gemnasium-python:2. It won't break at run-time though. You can build your image on top of gemnasium-python:2.6.0 to work around that.
  • If you have disabled Docker in Docker, and you've set the before_script of the gemnasium-python-dependency_scanning job definition, this will break at run-time when executing the job, unless you override the job definition to explicitly use a gemnasium-python image that was built before switching to Debian, like gemnasium-python:2.6.0.

Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license