Comment by progbits
6 months ago
Alpine helps but it's not perfect. Plenty of outdated packages with known CVEs there for long time.
Often they are not exploitable but it's easier to pay chainguard to have a constant zero on our vuln scanner than to deal with distroless builds ourselves.
The GPU images are indeed very expensive though.
I get it but the likelihood those vulns are exploitable in your environment is dubious. It’s a lot of compliance theater. Defense in depth
I agree, but I'm not spending my time arguing with PCI auditors.
Also it's safer from supply chain attacks. Malware inserted via compromised docker hub tokens is a growing threat.
Right, I deal with NIST 800-53 based things where we have heavy albeit manual auditing. We pull from Iron Bank mostly but also employ Nexus Firewall. People can’t pull direct Docker Hub.
2 replies →
Constantly updating to the latest version of innumerable software projects is safer from supply chain attacks? :)
My experience has been that the cost of “patching” is often bugs and instability, having gained nothing security-wise.