Open
Description
Build an image using this simple Dockerfile:
FROM public.ecr.aws/lambda/python:3.8
ENTRYPOINT ["tail", "-f", "/dev/null"]
And then execute pip freeze inside the container
docker build -t test_app .
docker run -d --name test test_app
docker exec test pip freeze
Will show that there's a suspicious-looking package installed:
rapid_client==0.0.0
Since I have done nothing in the Dockerfile, it appears to be that package is somehow installed in the base image itself. Although the package in question seems to be empty from PyPI, it's still a risk and should be removed.