Hacker News new | ask | show | jobs
by jsulinski 3382 days ago
I will absolutely release some data. I intend to fully automate this research so that it is current whenever viewed as well.

Not sure about the state of CI/CD in the image building process, I assume it varies wildly. Two of the major points I'll address in my next posts are regarding deprecation in Docker repositories and lines of a Dockerfile important to minimizing vulnerabilities.
1 comments
jsulinski 3382 days ago
To be clear, one of those lines relates to making sure you pull in upstream during image building. This is super important, as it seems that people have assumed their base image will be current and that is not always the case.
link
LogicX 3382 days ago
So thats another factor to see if its a pattern: Do the images w/o problems apt-get update && apt-get upgrade

And maybe there's an opportunity for a chrome browser extension that can overlay an indicator when choosing a docker image to pick one that uses best practices like that.

link
jsulinski 3382 days ago
There absolutely is a pattern, but the thing is -- even if the image is updated at build, as soon as you deploy it, vulnerabilities begin to emerge.
link