So to answer your question:
- Really understand what those reports mean and what vulnerabilities apply to your application using those images
- Use a minimal image ( like Alpine ), I'm not a fan of that solution because Alpine is really minimal so it makes troubleshooting difficult, and teams like Ubuntu have competent security teams which Alpine doesn't have.
- Update the image often and have CI/CD pipeline that does that for you ( with a security scanner )
- Some languages like Go can compile with 0 dependencies, so you can use a scratch image that has almost nothing ( it brings another set of problems like updated the app itself when there is a security issue )