Docker Community Forums

Share and learn in the Docker community.

How to get images to pass DTR vulnerability scanning?


I am new to docker.
Something I have been tasked with is creating base images which contain no security vulnerablities.

To run some pretty standard websites (PHP, Drupal, etc.)

Something we are struggling with is how can you get DTR to not report any vulnerablities?

From what I have found, all base images on docker hub, including the latest “official” ones contain vulnerablities.

So the first thing that is done in a docker file is to use the package manager (apk, yum, apt, etc.) to update all packages.

I’ll then build using the --squash option which supposedly should bring it all back to one layer.

This really does not work, running the build with --squash still has additional layers that contain the patches.
DTR still reports on vulnerablities in the base image.

What am I missing to be able to create base images that have no security vulnerablities reported?

It seems kind of useless if there is no logic in DTR to be able to tell if a vulnerablity was patched in a subsequent layer.

Thank You.