Background
Trivy continues to find vulnerabilities in our docker images on a daily basis. Most of the time, and is the case currently, the vulnerabilities reported are in the debian packages installed not the python libraries we are using. Patches have been slow to come out in python:3.12-slim, possibly moving to a more secure version of linux like python:3.12-alpine or gcr.io/distroless/python3-debian12:nonroot could resolve these vulnerabilities. Michael Peels has mentioned in the past that NBS will need to monitor those vulnerabilities and apply patches when necessary. So maybe moving to a hardened image makes sense. Lots of things to test out here, I think in particular getting the drivers working for MSSQL could be tricky.
Task
- Identify a suitable image that reduces the number of vulnerabilities for debian packages
Background
Trivy continues to find vulnerabilities in our docker images on a daily basis. Most of the time, and is the case currently, the vulnerabilities reported are in the debian packages installed not the python libraries we are using. Patches have been slow to come out in python:3.12-slim, possibly moving to a more secure version of linux like python:3.12-alpine or gcr.io/distroless/python3-debian12:nonroot could resolve these vulnerabilities. Michael Peels has mentioned in the past that NBS will need to monitor those vulnerabilities and apply patches when necessary. So maybe moving to a hardened image makes sense. Lots of things to test out here, I think in particular getting the drivers working for MSSQL could be tricky.
Task