docker-elixir icon indicating copy to clipboard operation
docker-elixir copied to clipboard

Published 20 hours ago verified publisher icon c0b

Docker scan produces 331 vulnerabilities

Open mjmaurer opened this issue 3 years ago • 1 comments 

docker pull elixir:1.9
docker scan elixir

Tested 537 dependencies for known vulnerabilities, found 331 vulnerabilities.

A good amount are high severity. I know local scan is still beta, so it's possible there are bugs. I'm curious how these are introduced considering how often the image is built.

mjmaurer avatar Mar 16 '21 18:03 mjmaurer

@mjmaurer I'm seeing similar numbers in regards to elixir:1.11.4 but many of these vulnerabilities are coming from dependencies included in the image. Thus, I recommend using a different image that works for your use case. For example

$ docker scan elixir:1.11.4-alpine  

...

Tested 22 dependencies for known vulnerabilities, found 1 vulnerability.

Note: The one vulnerability here is as follows:

Medium severity vulnerability found in musl/musl

$ docker scan elixir:1.11.4-slim

...

Tested 96 dependencies for known vulnerabilities, found 63 vulnerabilities.

In general, one can reduce the level of security vulnerabilities by selecting an image that doesn't include unnecessary dependencies like alpine or slim.

conradwt avatar Mar 16 '21 20:03 conradwt