Docker scan produces 331 vulnerabilities

[mjmaurer]

docker pull elixir:1.9
docker scan elixir

Tested 537 dependencies for known vulnerabilities, found 331 vulnerabilities.

A good amount are high severity. I know local scan is still beta, so it's possible there are bugs. I'm curious how these are introduced considering how often the image is built.

[conradwt]

@mjmaurer I'm seeing similar numbers in regards to elixir:1.11.4 but many of these vulnerabilities are coming from dependencies included in the image. Thus, I recommend using a different image that works for your use case. For example

$ docker scan elixir:1.11.4-alpine  

...

Tested 22 dependencies for known vulnerabilities, found 1 vulnerability.

Note: The one vulnerability here is as follows:

Medium severity vulnerability found in musl/musl

$ docker scan elixir:1.11.4-slim

...

Tested 96 dependencies for known vulnerabilities, found 63 vulnerabilities.

In general, one can reduce the level of security vulnerabilities by selecting an image that doesn't include unnecessary dependencies like alpine or slim.