postgres-containers icon indicating copy to clipboard operation
postgres-containers copied to clipboard
verified publisher icon cloudnative-pg

Support alpine images

Open bdun1013 opened this issue 2 years ago • 3 comments

The official Postgres images support an alpine base image build: https://github.com/docker-library/postgres/tree/master/16/alpine3.18

Alpine is much smaller than debian and has many fewer vulnerabilities

bdun1013 avatar Nov 15 '23 20:11 bdun1013

Hi @bdun1013

Do you have some research that actually show that alpine has fewer vulnerabilities? and in any case, we already look for security issues on the images now.

Regards,

sxd avatar Feb 22 '24 09:02 sxd

Here's output from CVE scanning both Debian and Alpine based Postgres images with Trivy (https://github.com/aquasecurity/trivy)

❯ podman run docker.io/aquasec/trivy image postgres:16.2-bullseye

postgres:16.2-bullseye (debian 11.9)
====================================
Total: 195 (UNKNOWN: 12, LOW: 121, MEDIUM: 32, HIGH: 28, CRITICAL: 2)

❯ podman run docker.io/aquasec/trivy image postgres:16.2-alpine

postgres:16.2-alpine (alpine 3.19.1)
====================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

We would also like Alpine based images very very much.

gazab avatar Feb 27 '24 13:02 gazab

Even more if you scan it against the official cloudnative-pg image...

ghcr.io/cloudnative-pg/postgresql:16.2-6 (debian 11.9)
======================================================
Total: 273 (UNKNOWN: 12, LOW: 143, MEDIUM: 55, HIGH: 57, CRITICAL: 6)

onedr0p avatar Feb 27 '24 13:02 onedr0p