While I understand the convenience of shipping docker images based on the upstream rust images, it does make ensuring that the right images are used in this era of supply chain attacks more difficult. Would you consider shipping a minimal docker image that only contains the cargo-chef binary, to be explicitly copied into some other potentially hardened build images provided by a third party using something like
COPY --from=LukeMathWalker/cargo-chef:bin-only /cargo-chef /bin/cargo-chef
I have experimented with the following and it seems to work
FROM rust:slim-trixie AS build
WORKDIR /build
COPY . .
RUN cargo build --release
FROM scratch
COPY --from=build /build/target/release/cargo-chef /cargo-chef
While I understand the convenience of shipping docker images based on the upstream rust images, it does make ensuring that the right images are used in this era of supply chain attacks more difficult. Would you consider shipping a minimal docker image that only contains the
cargo-chefbinary, to be explicitly copied into some other potentially hardened build images provided by a third party using something likeCOPY --from=LukeMathWalker/cargo-chef:bin-only /cargo-chef /bin/cargo-chefI have experimented with the following and it seems to work