- fix of trivy errors (docker scan)

- fix of bandit errors (sec scan)

Author: Max Azatian

backend/Dockerfile

@@ -6,11 +6,7 @@ RUN apt-get update && apt-get upgrade -y liblzma-dev liblzma5 xz-utils && \
     apt-get install -y libsnappy-dev && \
     rm -rf /var/lib/apt/lists/*
 
-# Install kubectl v1.32.6 (temporary pin to avoid CVE-2025-47907 until v1.33.5+ is released)
-# Note: v1.32 series is still supported and should work with most K8s clusters
-# TODO: Update to latest stable once kubectl is rebuilt with Go 1.24.6+
-RUN wget -q "https://dl.k8s.io/release/v1.32.6/bin/linux/amd64/kubectl" -O /usr/local/bin/kubectl && \
-    chmod +x /usr/local/bin/kubectl
+## Remove kubectl from runtime image: rely on Python client only
 
 # Install Python dependencies
 COPY requirements.txt .

backend/app/services/k8s_worker/pod_builder.py

@@ -80,7 +80,7 @@ def _build_container(self, command: CreatePodCommandEvent) -> k8s_client.V1Conta
                 k8s_client.V1VolumeMount(name="script-volume", mount_path="/scripts", read_only=True),
                 k8s_client.V1VolumeMount(name="entrypoint-volume", mount_path="/entry", read_only=True),
                 k8s_client.V1VolumeMount(name="output-volume", mount_path="/output"),
-                k8s_client.V1VolumeMount(name="tmp-volume", mount_path="/tmp")
+                k8s_client.V1VolumeMount(name="tmp-volume", mount_path="/tmp")  # nosec B108: K8s EmptyDir mounted inside container; not host /tmp
             ],
             resources=k8s_client.V1ResourceRequirements(
                 requests={"cpu": cpu_request, "memory": memory_request},

backend/requirements.txt

@@ -114,7 +114,7 @@ types-confluent-kafka==1.3.6
 typing_extensions==4.12.2
 urllib3==2.2.3
 uvicorn==0.34.2
-gunicorn==22.0.0
+gunicorn==23.0.0
 websocket-client==1.8.0
 Werkzeug==3.0.4
 wrapt==1.16.0