
Over 80% of images on Docker Hub have at least one vulnerability - scribu
https://blog.acolyer.org/2017/04/03/a-study-of-security-vulnerabilities-on-docker-hub/
======
kakwa_
"With great power comes great responsibility".

The image part of docker is basically bundling application with its
dependencies.

Personally I've rarely seen applications doing that properly. For example,
I've seen many Java J2E .war web applications with half the libraries being 5
to 10 years old. I've also seen it in "binary" applications, like AV software,
bundling old libxml or old OpenSSL version.

Classic distributions like Debian or RHEL spend a huge amount of time tracking
security alerts, patching and putting in place update and notification
mechanisms. And it's not an easy task.

Docker permits developers to easily control what they ship, specially the
dependencies (the "great power" part), however, bundling your dependencies
means you have to track them properly, update them regularly and monitor
security issues in them (the "great responsibility" part).

The tooling and workflows to do the second part is still in its infancy. It's
far better than one or two years ago but it still needs a huge amount of work.

By the way, the tool used for security scanning seems to only scan deb or rpm
packages. It doesn't seem to handle components installed through language
specific package manager like pip or npm, or manually installed libraries
(plain old ./configure && make && make install). The actual picture may be
even darker...

