Improve codegen Docker image security without breaking protoc/mockgen

[Okabe-Junya]

What would you like to be added:

Reduce the attack surface of the codegen Docker image while maintaining compatibility with protoc and mockgen.

The current codegen image (tool/codegen/Dockerfile) uses golang:1.25.2 as the base image.
#6402 triedto use debian:bookworm-slim to reduce the image size and address curl-related CVEs, but was reverted in #6404 due to:

1. Missing google/protobuf/*.proto files required by protoc
2. mockgen requiring go command at runtime

Why is this needed:

• Address CVEs flagged by Snyk
• Reduce unnecessary dependencies in the codegen image

Possible approaches:

• Separate protoc and mockgen into different stages or images

(I think just bumping Go or remove some dependencies are just hack)

ref. #6402, #6404

[Okabe-Junya]

cc @khanhtc1202

[mohammedfirdouss]

@Okabe-Junya Will this be added to the community meeting next week or can I work on this?

I'm happy to help out here if needed.

[Okabe-Junya]

I don't have time/plan to work on this topic soon, so help is welcome.

Feel free to add it to the agenda and handle it :)

[mohammedfirdouss]

I don't have time/plan to work on this topic soon, so help is welcome.

Feel free to add it to the agenda and handle it :)

No problem @Okabe-Junya, thanks :)

[mohammedfirdouss]

Plan: Codegen Docker Image Security

Problem

• Current base image golang:1.25.2 has CVEs (curl-related) flagged by Snyk
• Image is larger than necessary
• PR Refactor Codegen Dockerfile #6402 attempted debian:bookworm-slim but was reverted (Revert "Refactor Codegen Dockerfile" #6404) due to:
  • Missing google/protobuf/*.proto files for protoc
  • mockgen requires go command at runtime

Goals

• Reduce CVEs (Snyk scan)
• Minimize image size
• Maintain protoc and mockgen compatibility

Approach: Multi-Stage Build

FROM golang:1.25.2 AS builder       # Build all protoc plugins
FROM golang:1.25.2 AS go-runtime    # Extract minimal Go runtime
FROM debian:bookworm-slim AS final  # Minimal runtime image

Constraints

• Must support x86_64 and aarch64 (protoc-gen-js)
• Go toolchain is large; expect some size overhead for mockgen support

[eeshaanSA]

@mohammedfirdouss, any progress with this? 🫢

[mohammedfirdouss]

@mohammedfirdouss, any progress with this? 🫢

@eeshaanSA Yupp, i am still working on it, i havent pushed my branch yet