1. 22
  1. 9

    Maybe it’s a good time to make some publicity for a little project I have been working on: https://github.com/nix-community/docker-nixpkgs

    The idea behind this project is that nixpkgs is a package set that receives regular security updates. Another aspect of Nix, the build system behind it, is that builds only change if any of the inputs change. Both combined allows a nice property of keeping the images fresh, while not unnecessarily re-upload the images if they haven’t changed. The CI just has to run on interval (daily currently).

    For now the project is only targeting simple CLI tools that are being used in CI but ultimately the goal is also to re-implement services as well.

    The other use-case is that this project provides a templates for anyone who would want to maintain their own set of docker images.

    Let me know what you think :)

    1. 5

      tl;dr: use Alpine Linux images if you can

      1. 4

        Most of this vulns are due to vulnerable binaries carried on from base images that the actual application will never use.

        I’ve been making multi-stage “distroless” images for some time and now I’m starting to use “FROM scratch” in my last stage, so that the final image just contains the actual dependencies.

        See https://github.com/ricardbejarano/nginx or https://github.com/ricardbejarano/lighttpd, for example.

        When I tried to PR my changes to the official NGINX image, it got closed because “multi-stage builds are unsupported for Official Images” (see PR). I understand their position, but I disagree.

        1. 1

          Counting vulnerabilities (CVEs) is not a very useful measure. There are cases where one is enough. But I’ve also seen software with vulnerable dependencies in the higher two digits but isn’t actually insecure, because it coincidentally does not hold them on the wrong end.

          As some of you may have seen with GitHub alerts for open source components of your repo, it’s hard to confirm whether the vulnerable parts are actually used and what it implies for the security of the docker image.