I'm looking for effective ways to ensure that my application container base images are secure. We use a variety of images like Ubuntu, Alpine, Node, OpenJDK, and Rocky. Currently, we just pull the official images and scan them with our CI/CD tools, but we often get overwhelmed by numerous CVEs with no clear guidance on which vulnerabilities matter most. What strategies do you use to minimize vulnerabilities in your base images before building your applications on top?
4 Answers
Keeping your images minimal is key! Start with something like Alpine or even distroless images, install only what you need, and integrate automated scanning into your CI/CD pipeline. Focus on high severity CVEs that could actually impact your environment, and maintain SBOMs for traceability.
Check out the hardened images that Docker has recently started offering. They include more secure options and even hardened Helm Charts for some tools. It's worth a look!
Tracking down hundreds of CVEs in packages you don’t use can be a huge time waster. Instead, consider using pre-hardened images like those from RapidFort. They come with very few vulnerabilities out of the box and even have a profiler to help monitor your production environment, reducing unnecessary noise from scans.
One great approach is to build your own base images. Starting with a minimal base image like Alpine allows you to add only the packages you actually need, reducing the attack surface.
Absolutely, Docker is finally catching up! Also, Chainguard has been providing hardened images for a while—definitely worth checking out if you're looking for security. And remember to keep your base images minimal and use multi-stage builds to separate build and production environments.