How Do I Handle Growing CVE Backlogs in My Container Images?

The number of vulnerabilities increases with the contents in your image. Streamlining your image is a good idea. Try using wolfi images; at my company, they helped cut the CVEs in half. Definitely look into that as part of your strategy!

It's crucial to evaluate the actual CVEs you're facing. Many could be irrelevant to your application's security. A straightforward approach is to document those you deem non-threatening and ignore them, especially if you have mitigation strategies in place. Also, consider using tools like Chainguard to minimize your images for better security. Remember, being on Node 18 is pretty out of date; you might want to move to the latest LTS version for better support.

Node 18 is actually EOL, so it’s not surprising you're facing these issues. An outdated base image definitely increases your vulnerability risk. Have you considered upgrading to a more recent version? It might alleviate some of the backlog.

Sure, switching to distroless or minimal images is a common suggestion, but it won't completely eliminate your backlog. The real challenge is how vulnerability scanners like Prisma treat all CVEs equally, regardless of whether they're actually relevant. You should determine which vulnerabilities are truly exploitable in your context rather than simply triaging by severity. Focusing on reachable vulnerabilities can significantly reduce the workload. Upgrading from Node 18 is essential, but it's not the only solution you need to consider.