Use the prebuilt semgrep-core binary from the official docker image.

Dockerfile

@@ -1,3 +1,5 @@
+ARG SEMGREP_VERSION=1.75.0
+
 FROM golang:alpine3.20 as build
 
 # Link to All Apps https://arc.net/folder/40C7B38D-FE7B-4DCE-BEF2-49C652757741
@@ -68,70 +70,7 @@ FROM rust:alpine3.20 as build-just
 RUN apk add musl-dev
 RUN cargo install just
 
-# Build Semgrep Core
-#
-# The Docker image below (after the 'FROM') is prepackaged with 'ocamlc',
-# 'opam', and lots of packages that are used by semgrep-core and installed in
-# the 'make install-deps' command further below.
-# See https://github.com/returntocorp/ocaml-layer/blob/master/configs/alpine.sh
-# for this list of packages.
-# Thanks to this container, 'make install-deps' finishes very quickly because it's
-# mostly a noop. Alternative base container candidates are:
-#
-# - 'ocaml/opam:alpine', the official OCaml/opam Docker image,
-# but building our Docker image would take longer because
-# of all the necessary Semgrep dependencies installed in 'make install-deps'.
-#
-# We build a new Semgrep Docker image on each pull-request (PR) so we don't
-# want to wait 30min each time just for 'docker build' to finish.
-#
-# Note also that ocaml/opam:alpine default user is 'opam', not 'root', which
-# is not without problems when used inside Github actions (GHA) or even inside
-# this Dockerfile.
-#
-# - 'alpine', the official Alpine Docker image, but this would require some
-# extra 'apk' commands to install opam, and extra commands to setup OCaml
-# with this opam from scratch, and more importantly this would take
-# far more time to finish. Moreover, it is not trivial to work from such
-# a base container as 'opam' itself requires lots of extra
-# tools like gcc, make, which are not provided by default on Alpine.
-#
-# An alternative to ocaml-layer would be to use https://depot.dev/
-#
-# Note that the Docker base image below currently uses OCaml 4.14.0
-# coupling: if you modify the OCaml version there, you probably also need
-# to modify:
-# - scripts/{osx-setup-for-release,setup-m1-builder}.sh
-# - doc/SEMGREP_CORE_CONTRIBUTING.md
-# - https://github.com/Homebrew/homebrew-core/blob/master/Formula/semgrep.rb
-#
-# coupling: if you modify the FROM below, you probably need to modify also
-# a few .github/workflows/ files. grep for returntocorp/ocaml there.
-
-FROM returntocorp/ocaml:alpine as build-semgrep-core
-
-ARG SEMGREP_VERSION=v1.75.0
-
-WORKDIR /src
-
-RUN apk add --no-cache git make
-
-RUN git clone --recurse-submodules --branch ${SEMGREP_VERSION} --depth=1 --single-branch https://github.com/semgrep/semgrep /src/semgrep
-
-WORKDIR /src/semgrep
-
-RUN make install-deps-ALPINE-for-semgrep-core &&\
- make install-deps-for-semgrep-core
-
-COPY Makefile.semgrep .
-
-# Let's build just semgrep-core
-# Note: I'm not sure that using dune --release actually makes an appreciable difference
-# The binary is the same size, and I haven't tested the result when building without --release
-RUN eval "$(opam env)" &&\
- make -f Makefile.semgrep release-build &&\
- # Sanity check
- /src/semgrep/_build/default/src/main/Main.exe -version
+FROM semgrep/semgrep:$SEMGREP_VERSION as semgrep
 
 FROM alpine:3.20
 
@@ -147,7 +86,7 @@ LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/CMS-E
 LABEL io.artifacthub.package.license="Apache-2.0"
 
 COPY --from=build-just /usr/local/cargo/bin/just /usr/local/bin/just
-COPY --from=build-semgrep-core /src/semgrep/_build/default/src/main/Main.exe /usr/local/bin/osemgrep
+COPY --from=semgrep /usr/local/bin/semgrep-core /usr/local/bin/osemgrep
 
 COPY --from=build /usr/local/bin/grype /usr/local/bin/grype
 COPY --from=build /usr/local/bin/syft /usr/local/bin/syft