The Prefect base image doesn’t pass Snyk Docker vu...
# prefect-community
The Prefect base image doesn’t pass Snyk Docker vulnerabilities check, any ideas? When scanning the base image with Snyk I find this vulnerability:
Copy code
✗ Critical severity vulnerability found in curl/libcurl3-gnutls
  Description: Cleartext Transmission of Sensitive Information
  Info: <>
  Introduced through: git@1:2.30.2-1+deb11u2
  From: git@1:2.30.2-1+deb11u2 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u7
This comes from Prefect’s Dockerfile line 101: Is Git actually needed and used within the Prefect server / Prefect agents? If so, why? Can I remove it or will it break Prefect?
We do have a note about git just a few lines above
Our users expect our base image to be able to do typical workflow orchestration activity which often includes using
to retrieve flow run source code.
Thanks @Zanie! under what circumstances is
being called?
We have a rather simple deployment and workflow that we deploy with:
Copy code
prefect deployments build \ \
    --name run_our_workflow \
    --path /usr/src/app \
    --work-queue test \
    --skip-upload \
There it's not used
And then trigger them via REST API:
Copy code
So when is
We need to account for the majority of our users with our container image though. If you don't need git you can derive an image with it removed.
When the deployment pulls code from a git repository
For example you could see the git project recipe
Thanks! could you please attach a link to it?
I would love to see and learn this type of usage
I'm on my phone! It shouldn't be hard to find in our docs or I'll link when I'm back.
@Zanie that was very helpful and a very prompt response 🙂
thank you for that
On a separate note I would love to hear what is a compelling reason to use projects, it looks like it’s a beta feature according to the documentation so when do simple Deployments won’t cut it that I should turn to using Projects?
I’ll follow up on the official docs and code samples but would love to learn real world applications if it’s possible. Thanks!
Projects are intended to be a more user friendly way to create deployments. They’re intended to replace the existing deployment build tooling eventually.
There’s an example of using Docker to pull code from git at — I don’t have any real world repositories to link to but you could try asking in the community!