The top two most popular Docker base images each have over 500 vulnerabilities

Written by:
William Henry

April 17, 2019

0 mins read

Welcome to the Docker security report “Shifting Docker security left.” This report is split into several posts:

Or download our lovely handcrafted pdf report, which contains all of this information and more in one place.

Known vulnerabilities in Docker images

Docker Hub is the main source for publicly available Docker images. While Docker advises you to use official images or Docker-certified images as a security best practice, it can be seen that the top 10 most popular Docker images each contains vulnerabilities. All of these images are official images.

Accordingly, we decided to scan through ten of the most popular images with Snyk’s recently released container vulnerability management features.

For every Docker image that we scanned, we were able to find vulnerable versions of system libraries. The last scan as of March 11, 2019 shows that the official Node.js image ships with 567 vulnerable system libraries. The remaining nine images ship with at least 31 publicly known vulnerabilities each.


Vulnerabilities in base images

The majority of vulnerabilities are found in the operating system (OS) layer. The images described in the previous section are images that are built on top of a base image. Therefore, the choice of a good base image is crucial in decreasing the number of vulnerabilities.

The node image is built on top of one of the buildpack- deps images. The Docker buildpack-deps are a collection of common build dependencies used for installing various modules and widely used as a base image for building other images.


Currently, the default buildpack-deps version is stretch, which refers to the Linux distribution (distro) on which it is based. This stretch version contains 567 vulnerabilities—-corresponding precisely to the number of vulnerabilities in the latest node image that uses this buildpack-deps image as its base image. It is striking that the three buildpacks that are based on ubuntu images (xenial, biomic and cosmic) contain fewer vulnerabilities than the debian-based buildpacks, suggesting that currently ubuntu-based images are a better choice from a security standpoint.

Continue reading:

Download the report now!

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

© 2024 Snyk Limited
Registered in England and Wales