DEV Community

loading...

Top ten most popular docker images each contain at least 30 vulnerabilities

Liran Tal
🥑 Developer Advocate @snyksec | @NodeJS Security WG | @TheSecureDev team | @jsheroes ambassador | Author of Essential Node.js Security | Let's talk! 😉 ❤️
・2 min read

Prefer minimal base images

Often times, you might start projects with a generic Docker container image such as writing a Dockerfile with a FROM node, as your “default”.

However, when specifying the node image, you should take into consideration that the fully installed Debian Stretch distribution is the underlying image that is used to build it.

If your project doesn’t require any general system libraries or system utilities then it is better to avoid using a full blown operating system (OS) as a base image.

In Snyk’s State of open source security report – 2019, we found that many of the popular Docker containers that are featured on the Docker Hub website are bundling images that contain many known vulnerabilities.

For example, when you use a generic and popularly downloaded node image such as docker pull node, you are actually introducing an OS into your application that is known to have 580 vulnerabilities in its system libraries.

https://res.cloudinary.com/snyk/image/upload/v1551121069/Number_of_OS_vulnerabilities_by_docker_image.png

Taken from the open source security report 2019, as can be seen, each of the top ten Docker images we inspected on Docker Hub contained known vulnerabilities.

By preferring minimal images that bundle only the necessary system tools and libraries required to run your project, you are also minimizing the attack surface for attackers and ensuring that you ship a secure OS.


This tip is part of a complete 10 Docker image security best practices you should adopt. Thanks for reading and to Omer Levi Hevroni who worked with me on it.

The original blog post includes a high-resolution printable PDF like the snippet you see below. Check it out

Discussion (7)

Collapse
jorgecc profile image
Jorge Castro • Edited

IMHO, Docker is for dev, not as a production server. It could but it is not the objective neither it's worth (unless the developers want to rush some code on production).

Collapse
lirantal profile image
Liran Tal Author

Hi Jorge,

Thanks for chiming in :-)

I actually don't share the same thought about containers used only for dev. The growth of Docker and containers in general has been tremendous over the past 5 years and it is expected to further grow into 2020 in tens of percents.

Even if we were to think that containers are only used for development, you'd still be at a risk of using a malicious docker container from the registry, that would spin up on your development machine and who knows what it does. That's however a less-likely scenario, but points out the interest in keeping things secure, whether they are running locally or not.

I am curious - if not docker, how are you orchestrating and managing your services?

Collapse
jorgecc profile image
Jorge Castro • Edited

Let's say we are running a hosting service, then docker is a no go.

However, let's say we are running our own service, then why we need to dockerize?.

Let's say we have 20 projects running on the same machine. We don't need docker for that. Now, let's say we are running an old version of the language/framework/sdk and we are unable to migrate. The solution is easy: add a new machine and use the old machine for legacy code and only if we are unable to run two instances on the same machine. But, what if we have 20 projects runnings 20 different configurations... sheesh! what's a mess! it's time to fire who decided that!. But, what if one instance is unsafe?. Since when is it an option?. If yes then we could run under a root-less service, even Windows Server could do that.

For example Google, Google doesn't use the technology of Docker in the same way we use Docker. Google uses it (Borg) for deploy but everything else is the host machine. i.e. Google uses Kubernetes without Docker.

Now, let's say we don't have docker. How to deploy?. XCopy.

Thread Thread
lirantal profile image
Liran Tal Author

Let's say we are running a hosting service, then docker is a no go.

You mean you are running a shared hosted environment?
Probably so. However if you take a look at Zeit's now. You could think of that as shared hosting environment too, and they support serving your apps through container technology.

Let's say we have 20 projects running on the same machine. We don't need docker for that.

You don't "need", but perhaps it solves you some problems.

But, what if we have 20 projects runnings 20 different configurations... sheesh! what's a mess!

Why a mess? if you have 20 difference projects, and each of their own configuration, why is that a message?

I'm not entirely sure on the point you are trying to make with regards to the validity of docker or not. To be clear though, I didn't specifically refer to the Docker engine technology but to container technology in general.

Thread Thread
jorgecc profile image
Jorge Castro

Why a mess? if you have 20 difference projects, and each of their own configuration, why is that a message?

When I talk about different configuration then I talk about a different version of language and database, everything else is usually contained into the project (such as library). If it is the case then how the CTO/architect allowed it?.

Collapse
asystat profile image
Sebastian • Edited

I work with a team of 13 devs for 3 years now. We had a not-dockerized architecture on AWS. It worked well. was expensive as hell. Since we started dockerizing everything, we created an environment of containers that work together as a charm. If we need to escalate, we just replicate the environment in another machine and add it to the load balancer. If we need a development environment, we just deploy the docker env. and are up to debug / test.
Also, after dockerizing everything, we don't depend on AWS anymore but for the RDS. We have more power, more flexibility and the cost reduced at least x5
I really don't know what you mean when you say Docker is not for production, but it is certainly not true, in my case at least.
Regards

Collapse
angadur profile image
Martín Rivadavia

I'm also curious, if not docker, what Jorge is using for production.
Thanks.