From 3bde323c0d81984c61cf85a3fe3bfce2607fdbb0 Mon Sep 17 00:00:00 2001
From: brandonspark <wu.brandonj@gmail.com>
Date: Wed, 23 Jul 2025 15:28:47 -0700
Subject: [PATCH 1/4] factorize semgrep version

---
 Dockerfile     | 19 ++++++++++++-------
 pyproject.toml |  2 +-
 uv.lock        |  8 +++-----
 3 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 6d338d5..0f56f33 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,13 @@
-# Use a Python image with uv pre-installed
-FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim AS uv
+# Pin to 1.128.1 as a default, but allow it to be overriden in case we
+# want to publish images with different versions of Semgrep.
+ARG BASE_IMAGE=semgrep/semgrep:1.128.1
+
+# Use the Semgrep image, so that we can select which version of
+# Semgrep we want to distribute with.
+FROM ${BASE_IMAGE}
+
+# Add `uv` to the image
+RUN apk update && apk add py3-uv
 
 # Install the project into `/app`
 WORKDIR /app
@@ -22,15 +30,12 @@ ADD . /app
 RUN --mount=type=cache,target=/root/.cache/uv \
     uv pip install .
 
-FROM python:3.13-slim-bookworm
-
-WORKDIR /app
+# need this for `useradd` right after
+RUN apk add shadow
 
 # Create non-root user
 RUN useradd -m app
 
-COPY --from=uv --chown=app:app /app/.venv /app/.venv
-
 # Place executables in the environment at the front of the path
 ENV PATH="/app/.venv/bin:$PATH" \
     PYTHONUNBUFFERED=1
diff --git a/pyproject.toml b/pyproject.toml
index c9b7183..03f0c2e 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -37,7 +37,6 @@ classifiers = [
 ]
 dependencies = [
     "mcp>=1.12.0",
-    "semgrep>=1.122.0",
 ]
 
 [project.license]
@@ -63,6 +62,7 @@ dev-dependencies = [
     "tomli-w>=1.0.0",
     "pre-commit>=3.0.0",
     "pyright>=1.1.0",
+    "semgrep>=1.122.0",
 ]
 
 [tool.ruff]
diff --git a/uv.lock b/uv.lock
index 3df5c76..0f574b8 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1157,7 +1157,6 @@ version = "0.4.1"
 source = { editable = "." }
 dependencies = [
     { name = "mcp" },
-    { name = "semgrep" },
 ]
 
 [package.dev-dependencies]
@@ -1168,15 +1167,13 @@ dev = [
     { name = "pytest" },
     { name = "pytest-asyncio" },
     { name = "ruff" },
+    { name = "semgrep" },
     { name = "tomli" },
     { name = "tomli-w" },
 ]
 
 [package.metadata]
-requires-dist = [
-    { name = "mcp", specifier = ">=1.12.0" },
-    { name = "semgrep", specifier = ">=1.122.0" },
-]
+requires-dist = [{ name = "mcp", specifier = ">=1.12.0" }]
 
 [package.metadata.requires-dev]
 dev = [
@@ -1186,6 +1183,7 @@ dev = [
     { name = "pytest", specifier = ">=8.1.1" },
     { name = "pytest-asyncio", specifier = ">=0.23.0" },
     { name = "ruff", specifier = ">=0.11.4" },
+    { name = "semgrep", specifier = ">=1.122.0" },
     { name = "tomli", specifier = ">=2.0.1" },
     { name = "tomli-w", specifier = ">=1.0.0" },
 ]

From bc604bf6bd4a893b2a0352f8ad3b09aa4af2a9da Mon Sep 17 00:00:00 2001
From: brandonspark <wu.brandonj@gmail.com>
Date: Wed, 23 Jul 2025 16:30:05 -0700
Subject: [PATCH 2/4] alternate method where we just uninstall in docker

---
 Dockerfile     | 7 +++++--
 pyproject.toml | 1 +
 uv.lock        | 6 +++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0f56f33..d4ef031 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
-# Pin to 1.128.1 as a default, but allow it to be overriden in case we
+# Use the latest as a default, but allow it to be overriden in case we
 # want to publish images with different versions of Semgrep.
-ARG BASE_IMAGE=semgrep/semgrep:1.128.1
+ARG BASE_IMAGE=semgrep/semgrep:latest
 
 # Use the Semgrep image, so that we can select which version of
 # Semgrep we want to distribute with.
@@ -30,6 +30,9 @@ ADD . /app
 RUN --mount=type=cache,target=/root/.cache/uv \
     uv pip install .
 
+# Uninstall, because we want to use the base image's version of Semgrep.
+RUN uv pip uninstall semgrep
+
 # need this for `useradd` right after
 RUN apk add shadow
 
diff --git a/pyproject.toml b/pyproject.toml
index 03f0c2e..547ce4f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -37,6 +37,7 @@ classifiers = [
 ]
 dependencies = [
     "mcp>=1.12.0",
+    "semgrep>=1.122.0",
 ]
 
 [project.license]
diff --git a/uv.lock b/uv.lock
index 0f574b8..d5a4e53 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1157,6 +1157,7 @@ version = "0.4.1"
 source = { editable = "." }
 dependencies = [
     { name = "mcp" },
+    { name = "semgrep" },
 ]
 
 [package.dev-dependencies]
@@ -1173,7 +1174,10 @@ dev = [
 ]
 
 [package.metadata]
-requires-dist = [{ name = "mcp", specifier = ">=1.12.0" }]
+requires-dist = [
+    { name = "mcp", specifier = ">=1.12.0" },
+    { name = "semgrep", specifier = ">=1.122.0" },
+]
 
 [package.metadata.requires-dev]
 dev = [

From b088c0fcb6591593792010513c7d732e82d1bf9c Mon Sep 17 00:00:00 2001
From: brandonspark <wu.brandonj@gmail.com>
Date: Wed, 23 Jul 2025 16:31:36 -0700
Subject: [PATCH 3/4] remove from dev dependencies

---
 pyproject.toml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 547ce4f..c9b7183 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -63,7 +63,6 @@ dev-dependencies = [
     "tomli-w>=1.0.0",
     "pre-commit>=3.0.0",
     "pyright>=1.1.0",
-    "semgrep>=1.122.0",
 ]
 
 [tool.ruff]

From 90be25238ac8abb725c7d12dc11f00cab4e8407e Mon Sep 17 00:00:00 2001
From: brandonspark <wu.brandonj@gmail.com>
Date: Wed, 23 Jul 2025 16:31:57 -0700
Subject: [PATCH 4/4] update lockfile

---
 uv.lock | 2 --
 1 file changed, 2 deletions(-)

diff --git a/uv.lock b/uv.lock
index d5a4e53..3df5c76 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1168,7 +1168,6 @@ dev = [
     { name = "pytest" },
     { name = "pytest-asyncio" },
     { name = "ruff" },
-    { name = "semgrep" },
     { name = "tomli" },
     { name = "tomli-w" },
 ]
@@ -1187,7 +1186,6 @@ dev = [
     { name = "pytest", specifier = ">=8.1.1" },
     { name = "pytest-asyncio", specifier = ">=0.23.0" },
     { name = "ruff", specifier = ">=0.11.4" },
-    { name = "semgrep", specifier = ">=1.122.0" },
     { name = "tomli", specifier = ">=2.0.1" },
     { name = "tomli-w", specifier = ">=1.0.0" },
 ]