You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#1194 greatly improved the readme of this repo for product team developers who self-service add/remove/update images on this repo. However, the main README is missing lots of detail on how to resolve vulnerabilities in images:
Code Owner Responsibilities
Address CVEs - When fixable CVEs are reported that require Dockerfiles changes, the code owner is responsible for mitigating the CVE.
There should be a new document or new section in the README covering how to resolve CVEs that are found in these images.
Target audience: .NET product team developers who may not have lots of Docker troubleshooting experience
Some key points:
How to scan for a vulnerability yourself (using Trivy, etc.)
How to determine if a vulnerability is coming from the base image or from one of the layers that we build
How to tell if re-building the image will resolve the vulnerability
How to determine when vulnerabilities can't be resolved or aren't applicable to the image (for example Debian has delayed picking up a fix before if they determined that a given CVE does not affect their packages - but that doesn't always stop scanners from detecting the CVE)
The text was updated successfully, but these errors were encountered:
#1194 greatly improved the readme of this repo for product team developers who self-service add/remove/update images on this repo. However, the main README is missing lots of detail on how to resolve vulnerabilities in images:
There should be a new document or new section in the README covering how to resolve CVEs that are found in these images.
The text was updated successfully, but these errors were encountered: