fix: swap UV base images to public.ecr.aws Python (trixie) for patched OpenSSL

[tejaskash]

Summary

Replaces ghcr.io/astral-sh/uv:python<ver>-bookworm-slim with public.ecr.aws/docker/library/python:<ver>-slim-trixie across 22 Dockerfiles, and copies the uv/uvx binaries in via COPY --from=ghcr.io/astral-sh/uv:latest.

Why

The bookworm base ships an OpenSSL build affected by a CVE. Debian 13 (trixie) ships the patched OpenSSL (verified 3.5.5, 27 Jan 2026 inside the built image).

What's preserved

• Per-Dockerfile Python minor versions are kept as-is (3.11 / 3.12 / 3.13 / 3.14) so dependency resolution doesn't drift.
• --platform=linux/arm64 prefixes are preserved where present (SRE-agent/Dockerfile, end-to-end-customer-service-agent/cx-agent-backend/Dockerfile) — public.ecr.aws/docker/library/python is multi-arch.
• uv pip install / uv sync flows continue to work because uv is still on PATH via the multi-stage COPY.

Files changed

22 Dockerfiles under 01-tutorials/, 02-use-cases/, 03-integrations/, and 05-blueprints/.

Test plan

Verified end-to-end on the riskiest Dockerfile — 03-integrations/agentic-frameworks/claude-agent/claude-sdk/Dockerfile — because it exercises the most surface (trixie base + NodeSource apt install for nodejs + uv pip install + Python 3.11 — the largest OS jump from bookworm).

• docker build succeeds
• Base image is Debian 13 trixie (PRETTY_NAME="Debian GNU/Linux 13 (trixie)")
• OpenSSL is patched: OpenSSL 3.5.5 27 Jan 2026
• Python version preserved: Python 3.11.15
• uv / uvx resolve on PATH (uv 0.11.11)
• uv pip install -r requirements.txt succeeds
• NodeSource setup_lts.x + apt-get install nodejs works on trixie (node 24.15)
• npm install -g @anthropic-ai/claude-code succeeds
• Container starts and reports healthy
• GET /ping → {"status":"Healthy", ...}

Remaining Dockerfiles use the same (or a strict subset of the) pattern — same uv env vars, same uv pip install flow, most without any apt-get layer — so they should inherit the same result.

Notes / tradeoffs

• ghcr.io/astral-sh/uv:latest is unpinned. If reviewers prefer a pinned uv version (e.g. uv:0.11.11 or another tag), happy to pin.
• SRE-agent/Dockerfile uses uv sync --frozen against uv.lock. The lockfile is tied to Python 3.12, which is preserved — no lockfile regeneration required.

[github-actions]

Latest scan for commit: 31a9b75 | Updated: 2026-05-08 20:57:56 UTC

Security Scan Results

Scan Metadata

• Project: ASH
• Scan executed: 2026-05-08T20:54:44+00:00
• ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

• Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
• Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
• High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
• Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
• Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
• Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

• Time: Duration taken by each scanner to complete its analysis
• Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

• PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
• FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
• MISSING: Scanner could not run because required dependencies/tools are not installed or available
• SKIPPED: Scanner was intentionally disabled or excluded from this scan
• ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

• CRITICAL: Only Critical severity findings cause scanner to fail
• HIGH: High and Critical severity findings cause scanner to fail
• MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
• LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
• ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

• (g) = global: Set in the global_settings section of ASH configuration
• (c) = config: Set in the individual scanner configuration section
• (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

• All statistics are calculated from the final aggregated SARIF report
• Suppressed findings are counted separately and do not contribute to actionable findings
• Scanner status is determined by comparing actionable findings to the threshold

Scanner	S	C	H	M	L	I	Time	Action	Result	Thresh
bandit	0	0	0	0	0	0	755ms	0	PASSED	MED (g)
cdk-nag	0	0	0	0	0	0	29.6s	0	PASSED	MED (g)
cfn-nag	0	0	0	0	0	0	6ms	0	PASSED	MED (g)
checkov	0	15	0	0	0	0	5.7s	15	FAILED	MED (g)
detect-secrets	0	0	0	0	0	0	722ms	0	PASSED	MED (g)
grype	0	0	0	0	0	0	46.2s	0	PASSED	MED (g)
npm-audit	0	0	0	0	0	0	169ms	0	PASSED	MED (g)
opengrep	0	0	0	0	0	0	<1ms	0	SKIPPED	MED (g)
semgrep	0	0	0	0	0	0	<1ms	0	MISSING	MED (g)
syft	0	0	0	0	0	0	2.1s	0	PASSED	MED (g)

Detailed Findings

Show 15 actionable findings

Finding 1: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 02-use-cases/customer-support-assistant-vpc/agent/Dockerfile:1-37

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

# Environment variables
ENV UV_SYSTEM_PYTHON=1 \
    UV_COMPILE_BYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    AWS_REGION=us-west-2 \
    AWS_DEFAULT_REGION=us-west-2 \
    DOCKER_CONTAINER=1

# Install system dependencies required by psycopg / libpq
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
    gcc \
    python3-dev \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Copy requirements file
COPY requirements.txt requirements.txt

# Install Python dependencies
RUN uv pip install --no-cache-dir -r requirements.txt && \
    uv pip install --no-cache-dir aws-opentelemetry-distro>=0.10.1 && \
    uv pip install --no-cache-dir awslabs-postgres-mcp-server

# Copy your project files
COPY . .

# Expose application ports
EXPOSE 8080 8000

# Use the OpenTelemetry instrumented Python command as the main CMD
CMD ["opentelemetry-instrument", "python", "-m", "main"]

---

Finding 2: CKV_DOCKER_3

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_3
• Location: 02-use-cases/customer-support-assistant-vpc/agent/Dockerfile:1-37

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

# Environment variables
ENV UV_SYSTEM_PYTHON=1 \
    UV_COMPILE_BYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    AWS_REGION=us-west-2 \
    AWS_DEFAULT_REGION=us-west-2 \
    DOCKER_CONTAINER=1

# Install system dependencies required by psycopg / libpq
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
    gcc \
    python3-dev \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Copy requirements file
COPY requirements.txt requirements.txt

# Install Python dependencies
RUN uv pip install --no-cache-dir -r requirements.txt && \
    uv pip install --no-cache-dir aws-opentelemetry-distro>=0.10.1 && \
    uv pip install --no-cache-dir awslabs-postgres-mcp-server

# Copy your project files
COPY . .

# Expose application ports
EXPOSE 8080 8000

# Use the OpenTelemetry instrumented Python command as the main CMD
CMD ["opentelemetry-instrument", "python", "-m", "main"]

---

Finding 3: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 05-blueprints/customer-support-agent-with-agentcore/Dockerfile:1-40

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
WORKDIR /app

# All environment variables in one layer
ENV UV_SYSTEM_PYTHON=1 \
    UV_COMPILE_BYTECODE=1 \
    UV_NO_PROGRESS=1 \
    PYTHONUNBUFFERED=1 \
    DOCKER_CONTAINER=1



COPY pyproject.toml pyproject.toml
# Install from requirements file
RUN uv pip install -r pyproject.toml




RUN uv pip install aws-opentelemetry-distro==0.12.2


# Signal that this is running in Docker for host binding logic
ENV DOCKER_CONTAINER=1

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 9000
EXPOSE 8000
EXPOSE 8080

# Copy entire project (respecting .dockerignore)
COPY . .

# Use the full module path

CMD ["opentelemetry-instrument", "python", "-m", "src.main"]

---

Finding 4: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 03-integrations/agentic-frameworks/claude-agent/claude-with-code-interpreter/Dockerfile:1-45

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.11-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

ENV UV_SYSTEM_PYTHON=1 \
    UV_PROJECT_ENVIRONMENT="/usr/local/" \
    UV_COMPILE_BYTECODE=1 \
    DOCKER_CONTAINER=1 \
    UV_NO_PROGRESS=1 \
    PYTHONUNBUFFERED=1 \
    CLAUDE_CODE_USE_BEDROCK=1 

# Set working directory
WORKDIR /app

RUN apt-get update && \
    apt-get install -y curl && \
    curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
    apt-get install -y nodejs

# Verify installation (optional)
RUN node -v && npm -v

RUN npm install -g @anthropic-ai/claude-code

# Copy dependency files (support both pyproject.toml and requirements.txt)
# Copy uv files
COPY pyproject.toml uv.lock ./

# Install dependencies (including strands-agents)
RUN uv sync --frozen --no-cache

# Copy and install the agent source code itself:
COPY . .
RUN uv sync --no-dev

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 9000
EXPOSE 8000
EXPOSE 8080

# Run application
CMD ["opentelemetry-instrument", "python", "-m", "agent"]

---

Finding 5: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 02-use-cases/SRE-agent/Dockerfile:1-25

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM --platform=linux/arm64 public.ecr.aws/docker/library/python:3.12-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

WORKDIR /app

# Copy uv files
COPY pyproject.toml uv.lock ./

# Install dependencies
RUN uv sync --frozen --no-dev

# Copy SRE agent module
COPY sre_agent/ ./sre_agent/

# Set environment variables
# Note: Set DEBUG=true to enable debug logging and traces
ENV PYTHONPATH="/app" \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

# Expose port
EXPOSE 8080

# Run application with OpenTelemetry instrumentation
CMD ["uv", "run", "opentelemetry-instrument", "uvicorn", "sre_agent.agent_runtime:app", "--host", "0.0.0.0", "--port", "8080"]

---

Finding 6: CKV_DOCKER_3

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_3
• Location: 02-use-cases/SRE-agent/Dockerfile:1-25

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM --platform=linux/arm64 public.ecr.aws/docker/library/python:3.12-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

WORKDIR /app

# Copy uv files
COPY pyproject.toml uv.lock ./

# Install dependencies
RUN uv sync --frozen --no-dev

# Copy SRE agent module
COPY sre_agent/ ./sre_agent/

# Set environment variables
# Note: Set DEBUG=true to enable debug logging and traces
ENV PYTHONPATH="/app" \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

# Expose port
EXPOSE 8080

# Run application with OpenTelemetry instrumentation
CMD ["uv", "run", "opentelemetry-instrument", "uvicorn", "sre_agent.agent_runtime:app", "--host", "0.0.0.0", "--port", "8080"]

---

Finding 7: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 02-use-cases/A2A-multi-agent-incident-response/monitoring_strands_agent/Dockerfile:1-42

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
WORKDIR /app

# All environment variables in one layer
ENV UV_SYSTEM_PYTHON=1 \
    UV_COMPILE_BYTECODE=1 \
    UV_NO_PROGRESS=1 \
    PYTHONUNBUFFERED=1 \
    DOCKER_CONTAINER=1 \
    AWS_REGION=us-west-2 \
    AWS_DEFAULT_REGION=us-west-2



COPY requirements.txt requirements.txt
# Install from requirements file
RUN uv pip install -r requirements.txt




RUN uv pip install aws-opentelemetry-distro>=0.10.1


# Signal that this is running in Docker for host binding logic
ENV DOCKER_CONTAINER=1

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 9000
EXPOSE 8000
EXPOSE 8080

# Copy entire project (respecting .dockerignore)
COPY . .

# Use the full module path

CMD ["opentelemetry-instrument", "python", "-m", "main"]

---

Finding 8: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 01-tutorials/06-AgentCore-observability/03-advanced-concepts/03-agentops/02-langfuse/Dockerfile:1-40

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.12-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
WORKDIR /app

# All environment variables in one layer
ENV UV_SYSTEM_PYTHON=1 \
    UV_COMPILE_BYTECODE=1 \
    UV_NO_PROGRESS=1 \
    PYTHONUNBUFFERED=1 \
    DOCKER_CONTAINER=1 \
    AWS_REGION=us-west-2 \
    AWS_DEFAULT_REGION=us-west-2



COPY agents/requirements.txt agents/requirements.txt
# Install from requirements file
RUN uv pip install -r agents/requirements.txt





# Signal that this is running in Docker for host binding logic
ENV DOCKER_CONTAINER=1

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 9000
EXPOSE 8000
EXPOSE 8080

# Copy entire project (respecting .dockerignore)
COPY . .

# Use the full module path

CMD ["python", "-m", "agents.strands_claude"]

---

Finding 9: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 02-use-cases/A2A-multi-agent-incident-response/web_search_openai_agents/Dockerfile:1-42

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
WORKDIR /app

# All environment variables in one layer
ENV UV_SYSTEM_PYTHON=1 \
    UV_COMPILE_BYTECODE=1 \
    UV_NO_PROGRESS=1 \
    PYTHONUNBUFFERED=1 \
    DOCKER_CONTAINER=1 \
    AWS_REGION=us-west-2 \
    AWS_DEFAULT_REGION=us-west-2



COPY requirements.txt requirements.txt
# Install from requirements file
RUN uv pip install -r requirements.txt




RUN uv pip install aws-opentelemetry-distro>=0.10.1


# Signal that this is running in Docker for host binding logic
ENV DOCKER_CONTAINER=1

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 9000
EXPOSE 8000
EXPOSE 8080

# Copy entire project (respecting .dockerignore)
COPY . .

# Use the full module path

CMD ["opentelemetry-instrument", "python", "-m", "main"]

---

Finding 10: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/Dockerfile:1-41

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
WORKDIR /app

# Configure UV for container environment
ENV UV_SYSTEM_PYTHON=1 UV_COMPILE_BYTECODE=1



COPY requirements.txt requirements.txt
# Install from requirements file
RUN uv pip install -r requirements.txt




RUN uv pip install aws-opentelemetry-distro>=0.10.1


# Set AWS region environment variable

ENV AWS_REGION=us-west-2
ENV AWS_DEFAULT_REGION=us-west-2


# Signal that this is running in Docker for host binding logic
ENV DOCKER_CONTAINER=1

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 8080
EXPOSE 8000

# Copy entire project (respecting .dockerignore)
COPY . .

# Use the full module path

CMD ["opentelemetry-instrument", "python", "-m", "main"]

---

Finding 11: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 03-integrations/AgentOps-Langfuse/Dockerfile:1-40

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.12-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
WORKDIR /app

# All environment variables in one layer
ENV UV_SYSTEM_PYTHON=1 \
    UV_COMPILE_BYTECODE=1 \
    UV_NO_PROGRESS=1 \
    PYTHONUNBUFFERED=1 \
    DOCKER_CONTAINER=1 \
    AWS_REGION=us-west-2 \
    AWS_DEFAULT_REGION=us-west-2



COPY agents/requirements.txt agents/requirements.txt
# Install from requirements file
RUN uv pip install -r agents/requirements.txt





# Signal that this is running in Docker for host binding logic
ENV DOCKER_CONTAINER=1

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 9000
EXPOSE 8000
EXPOSE 8080

# Copy entire project (respecting .dockerignore)
COPY . .

# Use the full module path

CMD ["python", "-m", "agents.strands_claude"]

---

Finding 12: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 01-tutorials/01-AgentCore-runtime/10-managed-session-storage/Dockerfile:1-37

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.14-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

WORKDIR /app

# All environment variables in one layer
ENV UV_SYSTEM_PYTHON=1 \
    UV_COMPILE_BYTECODE=1 \
    UV_NO_PROGRESS=1 \
    PYTHONUNBUFFERED=1 \
    DOCKER_CONTAINER=1 \
    AWS_REGION=us-west-2 \
    AWS_DEFAULT_REGION=us-west-2

COPY requirements.txt requirements.txt
# Install from requirements file
RUN uv pip install -r requirements.txt

#RUN uv pip install aws-opentelemetry-distro==0.12.2
RUN uv pip install aws-opentelemetry-distro

# Signal that this is running in Docker for host binding logic
ENV DOCKER_CONTAINER=1

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore
EXPOSE 9000
EXPOSE 8000
EXPOSE 8080

# Copy resources
COPY ./persistent-notes ./persistent-notes
COPY main.py .

# Use the full module path
CMD ["opentelemetry-instrument", "python", "-m", "main"]

---

Finding 13: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 02-use-cases/SRE-agent/Dockerfile.x86_64:1-24

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.12-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

WORKDIR /app

# Copy uv files
COPY pyproject.toml uv.lock ./

# Install dependencies
RUN uv sync --frozen --no-dev

# Copy SRE agent module
COPY sre_agent/ ./sre_agent/

# Set environment variables
ENV PYTHONPATH="/app" \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

# Expose port
EXPOSE 8080

# Run application
CMD ["uv", "run", "uvicorn", "sre_agent.agent_runtime:app", "--host", "0.0.0.0", "--port", "8080"]

---

Finding 14: CKV_DOCKER_3

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_3
• Location: 02-use-cases/SRE-agent/Dockerfile.x86_64:1-24

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.12-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

WORKDIR /app

# Copy uv files
COPY pyproject.toml uv.lock ./

# Install dependencies
RUN uv sync --frozen --no-dev

# Copy SRE agent module
COPY sre_agent/ ./sre_agent/

# Set environment variables
ENV PYTHONPATH="/app" \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

# Expose port
EXPOSE 8080

# Run application
CMD ["uv", "run", "uvicorn", "sre_agent.agent_runtime:app", "--host", "0.0.0.0", "--port", "8080"]

---

Finding 15: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: 02-use-cases/A2A-multi-agent-incident-response/host_adk_agent/Dockerfile:1-47

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
WORKDIR /app

# All environment variables in one layer
ENV UV_SYSTEM_PYTHON=1 \
    UV_COMPILE_BYTECODE=1 \
    UV_NO_PROGRESS=1 \
    PYTHONUNBUFFERED=1 \
    DOCKER_CONTAINER=1 \
    AWS_REGION=us-west-2 \
    AWS_DEFAULT_REGION=us-west-2 \
    GOOGLE_GENAI_USE_VERTEXAI=0



COPY requirements.txt requirements.txt
# Install from requirements file
RUN uv pip install -r requirements.txt




RUN uv pip install aws-opentelemetry-distro>=0.10.1

# Remove GCP logging exporter — it's incompatible with opentelemetry-sdk>=1.33
# (tries to import removed LogData) and is unnecessary on AWS
RUN uv pip uninstall opentelemetry-exporter-gcp-logging


# Signal that this is running in Docker for host binding logic
ENV DOCKER_CONTAINER=1

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 9000
EXPOSE 8000
EXPOSE 8080

# Copy entire project (respecting .dockerignore)
COPY . .

# Use the full module path

CMD ["opentelemetry-instrument", "python", "-m", "main"]

---

Report generated by Automated Security Helper (ASH) at 2026-05-08T20:54:39+00:00