sandbox: shrink image by ~2GB (go modcache, locales, docs)

[seanturner83]

Summary

Three safe reclamations to containers/Dockerfile that shrink the final image by ~2.3GB / ~23% without removing any user-facing tool:

Change	Approx saving
go clean -modcache after go install chain	~1.7GB
Purge non-English glibc locales (keep en, en_US, C)	~160MB
Remove /usr/share/{doc,doc-base,man}	~95MB

Measured: 9.78GB → 7.49GB on linux/amd64 build.

Why

The sandbox image is pulled per-scan in CI setups that use Strix, and cold-runner docker pull / docker load times are ~3-5 min, dominating the warm-up envelope for fast scans. Trimming ~2GB directly reduces that latency. No functional change — every binary present before is present after.

Safety

Go modcache. go install -v <pkg>@latest downloads sources into $GOPATH/pkg/mod and produces a statically-linked binary in $GOPATH/bin. The binaries don't reference the module cache at runtime. go clean -modcache removes the source tree; subsequent go install invocations re-download on demand (same behaviour as a fresh container).

Verified locally by running each Go binary after the clean:

httpx             OK
katana            OK
vulnx             OK
gospider          OK
interactsh-client OK

Locales. The image runs with LANG=C.UTF-8 implicitly (no explicit LANG= set, no locales package pulled in with a locale-gen step). glibc falls back to C when requested locales are absent. Purging /usr/share/locale/* except en, en_US, C changes nothing for any process running in the sandbox.

Docs/man. Tool runtime doesn't call man or read /usr/share/doc/*. Package postinst scripts reference these during install, not at runtime.

All three reclamations ride inside the existing apt-get autoremove cleanup layer, so no new layer is introduced.

Smoke test (manual, linux/amd64)

docker build -f containers/Dockerfile -t strix-sandbox:slim .
docker run --rm --entrypoint /bin/bash strix-sandbox:slim -c '
for t in semgrep bandit nuclei httpx katana trufflehog trivy zaproxy nmap \
         sqlmap ffuf subfinder naabu gitleaks wapiti ast-grep eslint retire \
         jshint tree-sitter arjun dirsearch wafw00f js-beautify; do
  command -v $t >/dev/null && echo "OK  $t" || echo "MISSING $t"
done
'

All tools report OK on the slim image. Size confirmed via docker images.

Non-goals

• Not removing any tool
• Not changing any pinned version
• Not touching the CA setup, docker-entrypoint.sh, Caido proxy, or Python/Node runtime
• Not adding CI to build the container (separate conversation — there's no .github/workflows/* that builds the sandbox today, so this PR has been tested manually)

[greptile-apps]

Greptile Summary

This PR reduces the sandbox image by ~2.3 GB through three targeted cleanups in containers/Dockerfile: running go clean -modcache in the same RUN layer as go install (correct for minimizing layer size), purging non-English locale message-catalog directories, and deleting /usr/share/doc, /usr/share/doc-base, and /usr/share/man. All cleanup steps run before the final uv sync/Playwright/COPY stages, and none of those subsequent steps depend on locale or documentation files, so the build remains correct end-to-end.

Confidence Score: 4/5

Safe to merge; all three reclamations are correct and non-breaking, with only a minor style note.

No P0 or P1 issues found. The single P2 observation (vestigial man-db install) does not affect correctness or runtime behavior. The go modcache clean is correctly co-located in the same layer, locale purge is conservative and preserves English, and doc removal happens after all apt installs.

No files require special attention.

Important Files Changed

Filename	Overview
containers/Dockerfile	Three image-size reductions: go modcache purge in the install layer, non-English locale directories removed, and doc/man trees deleted. Changes are safe; one P2 note about man-db still being installed.

Comments Outside Diff (1)

1. containers/Dockerfile, line 35 (link)

   Now that /usr/share/man/* is removed in the cleanup layer, the man-db package installed here is vestigial — the man binary will exist but have nothing to serve. Dropping man-db from the install list would recover a few more MB and eliminate a package that serves no runtime purpose in the sandbox.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: containers/Dockerfile
   Line: 35
   
   Comment:
   Now that `/usr/share/man/*` is removed in the cleanup layer, the `man-db` package installed here is vestigial — the `man` binary will exist but have nothing to serve. Dropping `man-db` from the install list would recover a few more MB and eliminate a package that serves no runtime purpose in the sandbox.
   
   
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
containers/Dockerfile:35
Now that `/usr/share/man/*` is removed in the cleanup layer, the `man-db` package installed here is vestigial — the `man` binary will exist but have nothing to serve. Dropping `man-db` from the install list would recover a few more MB and eliminate a package that serves no runtime purpose in the sandbox.

```suggestion
    less procps htop \
```

_{Reviews (1): Last reviewed commit: "sandbox: shrink image by ~2GB (go modcac..." | Re-trigger Greptile}