Skip to content
This repository has been archived by the owner on Nov 26, 2022. It is now read-only.

The Nginx base image has a lot of security problems #43

Closed
fmotrifork opened this issue Apr 16, 2020 · 5 comments
Closed

The Nginx base image has a lot of security problems #43

fmotrifork opened this issue Apr 16, 2020 · 5 comments

Comments

@fmotrifork
Copy link

fmotrifork commented Apr 16, 2020
edited
Loading

I have been looking in to switching my Nginx that uss modsecurity and CRS over to this official image.

Using the Trivy docker image scanner we get the following summary for the nginx image used as base:

$ trivy nginx:1.17.9
2020-04-16T08:26:11.391+0200    INFO    Detecting Debian vulnerabilities...

nginx:1.17.9 (debian 10.3)
==========================
Total: 116 (UNKNOWN: 0, LOW: 19, MEDIUM: 82, HIGH: 13, CRITICAL: 2)

If we instead switch over and use the alpine version of the same image, we get the following:

$ trivy nginx:1.17.9-alpine
2020-04-16T08:28:03.984+0200    INFO    Detecting Alpine vulnerabilities...

nginx:1.17.9-alpine (alpine 3.10.4)
===================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

Not perfect, but much better.

As a nice side effect we also get a much smaller image:

nginx:1.17.9         size: 127MB
nginx:1.17.9-alpine  size: 19.7MB
@bittner
Copy link
Contributor

bittner commented Apr 16, 2020
edited
Loading

A bit of historical background, to make you understand the different images:

  • Last year the decision was taken to use the official web proxy image as a basis and drop the distro-specific images, going forward (summed up in Consolidate development of Docker images #32 (comment)).
  • This is almost exclusively for maintenance reasons, with the mid-term plan to increase image quality (and security).
  • We have made some progress in this repo and in modsecurity-crs-docker, but we're by no means finished with our maintenance (process) improvements.

If you have specific suggestions on how to fix the issue you raised, please submit a PR. This is highly appreciated. – Thanks!

@fmotrifork
Copy link
Author

Hi @bittner

It looks like you are all making good progress.

My first proposal was also to keep using the official web images for nginx, but switch over and use the official image based on alpine Linux (very small, stable and secure linux, used in many docker images) instead of using the other official image based on Debian.

I will try to send some PRs to help improve what I can.

Best Regards

@bittner bittner mentioned this issue Sep 14, 2020
Open
@jithurjacob
Copy link

I would recommend switching over to alpine if it's possible. The default images are based on Debian and scanners find a lot of vulnerabilities(false positives included) even in weekly scans. We got tired of maintanance and made the switch to alpine.

@fzipi
Copy link
Member

fzipi commented Jun 20, 2021

I'm creating a new set of images based on Alpine. Still not ready to merge, but will be soon hopefully.

@fzipi
Copy link
Member

fzipi commented Jun 24, 2021

@jithurjacob You can find the new alpine based images on docker hub now. Please review and comment.

@fzipi fzipi closed this as completed Jun 24, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bittner @fzipi @jithurjacob @fmotrifork