I'm trying to figure out the best practices for building secure application containers. We use a variety of base images like Ubuntu, Alpine, Node, OpenJDK, and Rocky, and I'm not sure if we're approaching this the right way. What steps do you take to ensure your base images aren't filled with vulnerabilities before you start building your application? Currently, we just pull the official images and run scans with our CI/CD tools. However, we often end up with hundreds of flagged CVEs, and it can be challenging to determine which ones are significant and not just noise, especially since some are in packages we don't even utilize.
2 Answers
Did you know that Docker now offers hardened images? It could be worthwhile checking those out. They also have hardened Helm Charts for various tools, which is a nice touch.
One effective strategy is to create your own base images with fewer packages. Starting from a base Alpine image allows for more control over what gets included, which can reduce vulnerabilities.
True! Docker is catching up. Also, Chainguard has been offering hardened images for a while, so that's worth looking into as well. Always aim to add the least to your base image, and consider using multi-stage builds to separate build and production stages.