https://prefect.io logo
Title
o

Ofir

05/15/2023, 9:17 PM
The Prefect base image doesn’t pass Snyk Docker vulnerabilities check, any ideas? When scanning the base image with Snyk I find this vulnerability:
✗ Critical severity vulnerability found in curl/libcurl3-gnutls
  Description: Cleartext Transmission of Sensitive Information
  Info: <https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-3320493>
  Introduced through: git@1:2.30.2-1+deb11u2
  From: git@1:2.30.2-1+deb11u2 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u7
This comes from Prefect’s Dockerfile line 101: https://github.com/PrefectHQ/prefect/blob/main/Dockerfile#L101 Is Git actually needed and used within the Prefect server / Prefect agents? If so, why? Can I remove it or will it break Prefect?
z

Zanie

05/15/2023, 9:18 PM
We do have a note about git just a few lines above https://github.com/PrefectHQ/prefect/blob/main/Dockerfile#L96
Our users expect our base image to be able to do typical workflow orchestration activity which often includes using
git
to retrieve flow run source code.
o

Ofir

05/15/2023, 9:24 PM
Thanks @Zanie! under what circumstances is
git
being called?
We have a rather simple deployment and workflow that we deploy with:
prefect deployments build \
    our_workflow.py:run_our_workflow \
    --name run_our_workflow \
    --path /usr/src/app \
    --work-queue test \
    --skip-upload \
    --apply
z

Zanie

05/15/2023, 9:27 PM
There it's not used
o

Ofir

05/15/2023, 9:27 PM
And then trigger them via REST API:
/v1/deployments/flow-run/create_flow_run
So when is
git
used?
z

Zanie

05/15/2023, 9:28 PM
We need to account for the majority of our users with our container image though. If you don't need git you can derive an image with it removed.
When the deployment pulls code from a git repository
For example you could see the git project recipe
o

Ofir

05/15/2023, 9:29 PM
Thanks! could you please attach a link to it?
I would love to see and learn this type of usage
z

Zanie

05/15/2023, 9:30 PM
I'm on my phone! It shouldn't be hard to find in our docs or I'll link when I'm back.
@Zanie that was very helpful and a very prompt response 🙂
thank you for that
On a separate note I would love to hear what is a compelling reason to use projects, it looks like it’s a beta feature according to the documentation so when do simple Deployments won’t cut it that I should turn to using Projects?
I’ll follow up on the official docs and code samples but would love to learn real world applications if it’s possible. Thanks!
z

Zanie

05/16/2023, 2:16 PM
Projects are intended to be a more user friendly way to create deployments. They’re intended to replace the existing deployment build tooling eventually.
There’s an example of using Docker to pull code from git at https://docs.prefect.io/latest/tutorials/projects/#dockerized-deployment — I don’t have any real world repositories to link to but you could try asking in the community!