You can often patch a significant number of known CVEs by updating the base image (or the FROM statement) of your container. For example, was it the base operating system, a package that got installed, or a library in the code that you’re running? To do that, it’s incredibly helpful to know what introduced that vulnerability into your codebase. But you also need to know how to patch these critical and high risk vulns. The first, typically, is to sort the CVEs by severity and then focus on the critical and high vulnerabilities first - the ones that cause the greatest risk to your apps and services. Making sense of how to prioritize those vulnerabilities is quite difficult. Every version of every container - except maybe the container that you just built 10 minutes ago - contains known CVEs.
The downside is that when you start scanning containers with a vulnerability scanner you get a ton of information.
The obvious solution is to scan your containers and there are a lot of great tools - open source and proprietary - that do that well. One challenge everyone working with containers has experienced is worrying about common vulnerabilities and exposures (CVEs) putting your apps and services at risk of attack.
Member post originally published on the Fairwinds blog by Andy Suderman
