Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create documentation/guide for resolving vulnerabilities in container images #1225

Open
lbussell opened this issue Oct 30, 2024 · 0 comments

Comments

@lbussell
Copy link
Contributor

#1194 greatly improved the readme of this repo for product team developers who self-service add/remove/update images on this repo. However, the main README is missing lots of detail on how to resolve vulnerabilities in images:

Code Owner Responsibilities

  • Address CVEs - When fixable CVEs are reported that require Dockerfiles changes, the code owner is responsible for mitigating the CVE.

There should be a new document or new section in the README covering how to resolve CVEs that are found in these images.

  • Target audience: .NET product team developers who may not have lots of Docker troubleshooting experience
  • Some key points:
    • How to scan for a vulnerability yourself (using Trivy, etc.)
    • How to determine if a vulnerability is coming from the base image or from one of the layers that we build
    • How to tell if re-building the image will resolve the vulnerability
    • How to determine when vulnerabilities can't be resolved or aren't applicable to the image (for example Debian has delayed picking up a fix before if they determined that a given CVE does not affect their packages - but that doesn't always stop scanners from detecting the CVE)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Backlog
Development

No branches or pull requests

1 participant