We're an expanding engineering organization currently using Trivy for scanning container images for vulnerabilities in our workloads, like Python, ArgoCD, and Istio. However, we're experiencing significant alert fatigue due to the overwhelming number of low-context CVE findings. We're now seeking better container image security strategies that can improve our signal-to-noise ratio, integrate well with our CI/CD processes, and focus on actionable risks rather than just counting raw vulnerabilities. This is especially important considering the recent Bitnami licensing changes and the need for more sustainable base image practices.
2 Answers
To tackle alert fatigue, it's essential to design a CI gating policy that goes beyond just "fail on any HIGH" alerts. Instead, you can categorize alerts like:
- **Block**: If there's an exploit that's reachable and a fix is available.
- **Warn**: For high vulnerabilities without known exploits—track these but allow deployments.
- **Ignore**: For OS-level CVEs that your application doesn't actually interact with.
Most teams get bombarded with findings because they stick to default severity thresholds and don’t act on them.
Also, consider controlling what goes into your pipeline by using a private registry. This can help mitigate risks from using base images pulled from Docker Hub.
If you're scaling up and can set your architectural standards, I recommend opting for secure by design practices right away. Allocate some budget for hardened images from providers like Echo. This way, you can establish a more secure foundation for the long-term.
That’s a smart approach! I like the idea of categorizing alerts—it definitely helps in managing what’s crucial.