fix: upgrade libcurl and busybox from Alpine edge to fix Wiz scan CVEs

aarthy-dk · claude · aarthy-dk · commit 34f31fc86d1c · 2026-04-02T19:22:08.000-04:00
Upgrade libcurl 8.17.0-r1 → 8.19.0-r0 and busybox 1.37.0-r30 →
1.37.0-r31 from Alpine edge repository. libcurl cannot be removed
as librdkafka depends on it; upgrading resolves all 13 OS package
findings (1 HIGH, 11 MEDIUM, 1 LOW) from the customer's second
Wiz security scan.

Ref: OBS-2001

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/deploy/docker/observability-be.dockerfile b/deploy/docker/observability-be.dockerfile
@@ -33,7 +33,9 @@ RUN python3 -O -m pip install --no-deps /tmp/dk --prefix=/dk
 FROM ${BASE_IMAGE_URL}python:3.13-alpine3.23 AS runtime-image
 
 RUN apk update && apk upgrade && apk add --no-cache librdkafka=2.12.1-r0 \
-    && apk del curl libcurl \
+    && apk del curl \
+    && apk upgrade --no-cache libcurl busybox busybox-binsh ssl_client \
+        --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main \
     && pip install --no-cache-dir --upgrade pip
 
 # Grab the pre-built app from the build-image. This way we don't have
