HauwaHakimi
commented
1 month ago need more info about alpine linux change
Reason for Change
The main driver for this change is to address the critical vulnerability CVE-2023-45853 in MiniZip (part of zlib) that was present in the Debian-based images. This vulnerability, which could lead to integer overflow and heap-based buffer overflow, was not resolved in the Debian images we were using. Alpine Linux has resolved this vulnerability in their zlib packages, along with several other CVEs. Changing this image to alpine eliminates the CVE-2023-45853 and reduces the overall image size.
Updated Dockerfile to use Alpine-based images
- Changed base images from Debian-based to Alpine-based for Node.js and Ruby
- Updated installation commands to use Alpine's package manager (apk)
- Added necessary build dependencies for Alpine
- Adjusted user creation command for Alpine
Testing
- The image has been built and scanned locally. The container runs successfully locally with the new Alpine-based images.
- Docker Scout scan shows no vulnerabilities in the new image.
Next Steps
- Deploy to the test environment
- Conduct a full vulnerability scan in ECR to ensure all issues are resolved
Changing base images to alpine to fix critical CVEs on previous debian images Made changes to cost centres initializers to allow us to run docker image locally for testing