sxd
commented
6 months ago Hi @bdun1013
Do you have some research that actually show that alpine has fewer vulnerabilities? and in any case, we already look for security issues on the images now.
Regards,
Open bdun1013 opened 10 months ago
sxd
commented
6 months ago Hi @bdun1013
Do you have some research that actually show that alpine has fewer vulnerabilities? and in any case, we already look for security issues on the images now.
Regards,
gazab
commented
6 months ago Here's output from CVE scanning both Debian and Alpine based Postgres images with Trivy (https://github.com/aquasecurity/trivy)
❯ podman run docker.io/aquasec/trivy image postgres:16.2-bullseye
postgres:16.2-bullseye (debian 11.9)
====================================
Total: 195 (UNKNOWN: 12, LOW: 121, MEDIUM: 32, HIGH: 28, CRITICAL: 2)
❯ podman run docker.io/aquasec/trivy image postgres:16.2-alpine
postgres:16.2-alpine (alpine 3.19.1)
====================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)We would also like Alpine based images very very much.
onedr0p
commented
6 months ago Even more if you scan it against the official cloudnative-pg image...
ghcr.io/cloudnative-pg/postgresql:16.2-6 (debian 11.9)
======================================================
Total: 273 (UNKNOWN: 12, LOW: 143, MEDIUM: 55, HIGH: 57, CRITICAL: 6)
The official Postgres images support an alpine base image build: https://github.com/docker-library/postgres/tree/master/16/alpine3.18
Alpine is much smaller than debian and has many fewer vulnerabilities