feat(ci): use tykio/dhi-busybox:1.37-fips as base image for Docker builds

buger · claude · buger · commit c664bf2062b0 · 2026-02-11T16:25:36.000Z
Replace the debian-based and distroless base images with
tykio/dhi-busybox:1.37-fips for amd64 and arm64 architectures.
Both Dockerfiles now use a multi-stage build: a Debian stage extracts
the .deb package, then the final stage uses the FIPS-compliant
busybox base image. s390x retains the original fallback images since
no FIPS base is available for that architecture.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/ci/Dockerfile.distroless b/ci/Dockerfile.distroless
@@ -10,7 +10,14 @@ ENV DEBIAN_FRONTEND=noninteractive
 COPY ${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb /
 RUN dpkg -i /${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb && rm /*.deb
 
-FROM gcr.io/distroless/base-debian12:latest
+# FIPS base for amd64/arm64
+FROM tykio/dhi-busybox:1.37-fips AS base-amd64
+FROM tykio/dhi-busybox:1.37-fips AS base-arm64
+# Fallback for s390x (no FIPS base available)
+FROM gcr.io/distroless/base-debian12:latest AS base-s390x
+
+FROM base-${TARGETARCH}
+ARG TARGETARCH
 
 COPY --from=deb /opt/tyk-gateway /opt/tyk-gateway
 
diff --git a/ci/Dockerfile.std b/ci/Dockerfile.std
@@ -1,28 +1,24 @@
 # Generated by: gromit policy
 
-FROM debian:trixie-slim
+FROM debian:trixie-slim AS deb
 ARG TARGETARCH
 ARG BUILD_PACKAGE_NAME
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update \
-    && apt-get dist-upgrade -y ca-certificates
+COPY dist/${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb /
+RUN dpkg -i /${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb && rm /*.deb
 
-# Remove some things to decrease CVE surface
-RUN dpkg --purge --force-remove-essential curl ncurses-base || true
-RUN rm -fv /usr/bin/passwd /usr/sbin/adduser || true
+# FIPS base for amd64/arm64
+FROM tykio/dhi-busybox:1.37-fips AS base-amd64
+FROM tykio/dhi-busybox:1.37-fips AS base-arm64
+# Fallback for s390x (no FIPS base available)
+FROM debian:trixie-slim AS base-s390x
 
-# Comment this to test in dev
-COPY dist/${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb /
-RUN dpkg -i /${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb && find / -maxdepth 1 -name "*.deb" -delete
-
-# Clean up caches, unwanted .a and .o files
-RUN rm -rf /root/.cache \
-    && apt-get -y autoremove \
-    && apt-get clean \
-    && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \
-    && find /usr/lib -type f -name '*.a' -o -name '*.o' -delete
+FROM base-${TARGETARCH}
+ARG TARGETARCH
+
+COPY --from=deb /opt/tyk-gateway /opt/tyk-gateway
 
 ARG PORTS
 
