We are running IBM appconnect on AWS ECS. The image created was scanned by AWS scan engine and shown few vulnerabilities. We have already introduced yum update in the Dockerfile and the latest image is up to date. Could you please suggest what is the best method to work with these kind of vulnerabilities. it seems centos 7 repositories are not updating. The updated httpd package in the centos repository is vulnerable and there are no further updates.
The dockerhub description indicates that exact versions like “7.x.y” are immutable and as such will never be updated, while “7” is mutable and as such point to the latest build image for that major version:
If you are unhappy about this, then your approach to embedd
RUN yum -y update && yum clean all into the Dockerfile is the way to keep the packages updated when a new image is build. If this is still not what you want because you are unhappy with the release cycles of the CentOS packages, you might consider to switch from CentOS to an Amazon Linux 2 base image - it should be more ore less a drop-in replacement-