Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker scan produces 331 vulnerabilities #147

Open
mjmaurer opened this issue Mar 16, 2021 · 1 comment
Open

Docker scan produces 331 vulnerabilities #147

mjmaurer opened this issue Mar 16, 2021 · 1 comment

Comments

@mjmaurer
Copy link

docker pull elixir:1.9
docker scan elixir

Tested 537 dependencies for known vulnerabilities, found 331 vulnerabilities.

A good amount are high severity. I know local scan is still beta, so it's possible there are bugs. I'm curious how these are introduced considering how often the image is built.

@conradwt
Copy link

@mjmaurer I'm seeing similar numbers in regards to elixir:1.11.4 but many of these vulnerabilities are coming from dependencies included in the image. Thus, I recommend using a different image that works for your use case. For example

$ docker scan elixir:1.11.4-alpine  

...

Tested 22 dependencies for known vulnerabilities, found 1 vulnerability.

Note: The one vulnerability here is as follows:

Medium severity vulnerability found in musl/musl
$ docker scan elixir:1.11.4-slim

...

Tested 96 dependencies for known vulnerabilities, found 63 vulnerabilities.

In general, one can reduce the level of security vulnerabilities by selecting an image that doesn't include unnecessary dependencies like alpine or slim.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants