I've been using Prisma Cloud for about 8 months now to identify vulnerabilities, but I'm noticing that our CVE backlog for containers in Jira keeps expanding rather than shrinking. Just last week, I decided to investigate further. I pulled a fresh node:18 image from Docker Hub and ran Trivy against it, only to find an overwhelming 340 CVEs, and that's before even introducing any of our application code. It seems like the base image itself is the main source of these vulnerabilities, with issues stemming from components like Curl, wget, and portions of libc that we don't even use.
We are a company with a 60-person engineering team and only two dedicated security team members, so we can typically patch around 30-40 CVEs per sprint if we're lucky. Shortly after a new node:18 digest is released, we seem to be back to over 300 vulnerabilities. I'm wondering if moving to distroless images or using scratch images might be a better solution. What best practices can we adopt to manage this better?
6 Answers
Since Node 18 is outdated, have you validated your application against a newer version? Sticking with old versions won't be sustainable in the long run.
First off, upgrade your app to at least Node 24 LTS since Node 18 is EOL. Second, consider implementing a two-step build process. You could serve your static assets using a hardened Nginx image from Chainguard, and for the backend, use a distroless Node image for better security.
The more layers and components you have in your image, the higher the number of vulnerabilities you're likely to encounter. Keeping your images slim will definitely help reduce CVEs. You might want to check out Wolfi images; they helped us cut our CVE count in half!
Node 18 has been out of maintenance for over a year; it’s no surprise that it’s riddled with security issues. Consider upgrading to a more recent version—that alone could help reduce your backlog significantly.
Absolutely check which CVEs are relevant. Many may just be noise and not applicable to your setup at all. It's common to document which ones you choose to ignore because they won’t impact you or you already have mitigations in place. Considering Chainguard or similar services for a more minimal image could help as well. And yes, Node 18 is way past due for an upgrade; think about moving to at least version 24.
Switching to distroless or minimal images is a valid suggestion, but I have to say it won't completely eliminate your CVE issues. The real problem lies in how Prisma and similar scanners categorize vulnerabilities. They don't distinguish between critical vulnerabilities that directly impact your application and those in libraries that your app never uses. Start prioritizing by actual risk instead of severity, and you'll find many of those CVEs can be acknowledged as not exploitable. Focus on filtering those CVEs based on whether they impact your specific environment. Upgrade from Node 18, but also address the prioritization issue—it’s key to managing the backlog effectively.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically