Hacker News new | past | comments | ask | show | jobs | submit login

Most people use provided Docker images from Ubuntu / Debian ect ... so those images are basically stripped down OS filesystem with all the default libraries, for instance you don't need libpgp in your app, but since it ships with the Docker image it will be flagged by those scanner if there is a vulnerability.

So to answer your question:

- Really understand what those reports mean and what vulnerabilities apply to your application using those images

- Use a minimal image ( like Alpine ), I'm not a fan of that solution because Alpine is really minimal so it makes troubleshooting difficult, and teams like Ubuntu have competent security teams which Alpine doesn't have.

- Update the image often and have CI/CD pipeline that does that for you ( with a security scanner )

- Some languages like Go can compile with 0 dependencies, so you can use a scratch image that has almost nothing ( it brings another set of problems like updated the app itself when there is a security issue )

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact