Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-13156

Reduce the attack surface of Docker images

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 8.3
    • Component/s: None
    • Labels:
      None
    • Edition:
      Community
    • Production Notes:
      None

      Description

      Many vulnerabilities found by audit tools like OpenSCAP show that multiple bundled tools are not used and should be dropped to reduce the attack surface of the Docker images.

      Changing the base image to a minimal image like Google Distroless, Alpine or Bitnami Minideb is the best way to clean-up the OS. Then Docker multi-stages build helps to install only the required libs/apps.

      Note: Elasticsearch is triggered by the bootstrap process through the command-line (bin/elasticsearch). That is a major constraint for minimal images, shell being usually disabled.

      Base image research: https://xtranet-sonarsource.atlassian.net/wiki/spaces/SQ/pages/215810052/Docker+base+image

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              michal.duda Michal Duda (Inactive)
              Reporter:
              simon.brandhof Simon Brandhof (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: