Top Two Most Popular Docker Base Images Each Have Over 500 Vulnerabilities

This is one of the key findings from the Docker Security report: Shifting Docker Security Left.

Known Vulnerabilities in Docker Images

Docker Hub is the main source for publicly available Docker images. While Docker advises you to use official images or Docker-certified images as a security best practice, it can be seen that the top 10 most popular Docker images each contain vulnerabilities. All of these images are official images.

Accordingly, we decided to scan through ten of the most popular images with Snyk’s recently released container vulnerability management features.

For every Docker image that we scanned, we were able to find vulnerable versions of system libraries. The last scan as of March 11, 2019, shows that the official Node.js image ships with 567 vulnerable system libraries. The remaining nine images ship with at least 31 publicly known vulnerabilities each.

Vulnerabilities in Base Images

The majority of vulnerabilities are found in the operating system (OS) layer. The images described in the previous section are images that are built on top of a base image. Therefore, the choice of a good base image is crucial in decreasing the number of vulnerabilities.

The node image is built on top of one of the buildpack- deps images. The Docker buildpack-deps are a collection of common build dependencies used for installing various modules and widely used as a base image for building other images.

Currently, the default buildpack-deps version is stretch, which refers to the Linux distribution (distro) on which it is based. This stretch version contains 567 vulnerabilities — corresponding precisely to the number of vulnerabilities in the latest node image that uses this buildpack-deps image as its base image. It is striking that the three buildpacks that are based on ubuntu images (xenial, biomic and cosmic) contain fewer vulnerabilities than the debian-based buildpacks, suggesting that currently, Ubuntu-based images are a better choice from a security standpoint.

Choosing the Right Base Image

A popular approach to this challenge is to have two types of base images: one used during development and unit testing and another for later stage testing and production. In later stage testing and production, your image does not require build tools such as compilers (for example, Javac) or build systems (such as Maven) or debugging tools. In fact, in production, your image may not even require Bash.

We see dramatic differences between the basic operating system images and the different variants. Most of the time, a full-blown operating system image is not necessary. Consider for instance a Python application image with nothing but the Python package, it’s dependent packages, and the Python application.