From 298e927bfb9d501d8ec834d8c588475d70ec55b3 Mon Sep 17 00:00:00 2001
From: Liam Byrne <morepork@tetrate.io>
Date: Wed, 22 Oct 2025 14:27:08 +1300
Subject: [PATCH] Use a scratch based image to limit vulnerabilities

The alpine base image isn't needed as the statically linked go binary
runs fine without it. Using a scratch based image reduces the number of
vulnerabilities brought up by scanning tools in the alpine image, and
makes the image a bit smaller.

Signed-off-by: Liam Byrne <morepork@tetrate.io>
---
 Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 19fcbeafd..bd74ad1ff 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,6 +10,9 @@ COPY script script
 
 RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/ratelimit -ldflags="-w -s" -v github.com/envoyproxy/ratelimit/src/service_cmd
 
-FROM alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS final
+FROM alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS cacerts
 RUN apk --no-cache add ca-certificates && apk --no-cache update
+
+FROM scratch
+COPY --from=cacerts /etc/ssl/cert.pem /etc/ssl/cert.pem
 COPY --from=build /go/bin/ratelimit /bin/ratelimit