I'm trying to find the best way to build secure application containers. We use a variety of base images including Ubuntu, Alpine, Node, OpenJDK, and Rocky. I want to ensure that we're not starting off with base images packed with vulnerabilities.
Currently, we just pull official images and scan them using our CI/CD tools, but we end up with hundreds of flagged CVEs. It gets overwhelming, and we're unsure which alerts are critical and which are just noise—especially since some of the flagged vulnerabilities are in packages we don't even utilize. Any suggestions on how to manage this better?
3 Answers
Hardened images are a great step in the right direction. If you're worried about vulnerabilities, consider also using tools designed to interpret CVE reports and filter out irrelevant alerts. It might help clear up the confusion from all those warnings you get!
In my experience, using Docker's hardened images is a good starting point. However, you might want to check out Chainguard.dev images; they have an excellent reputation when it comes to handling vulnerabilities. Either option can help, but Chainguard might give you an edge if you're doing a lot of vulnerability management.
Official images are a solid foundation, but encountering hundreds of CVEs is pretty standard. Don’t stress too much; many of those vulnerabilities may not be relevant in your specific context. The key is to focus on the ones that affect the libraries and packages you actually use in your application.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically