Maintaining Security Updates for Docker Images
To stay current with the latest security updates, Metric Insights takes the following actions:
- Our Docker images run the latest stable release of Debian:
- Debian 11.5 "Bullseye" as of version 6.4.0, released November 21, 2022
- Debian OS updates are done with each new major release of Metric Insights, approximately once a quarter. Regression tests are conducted with each new major release to maintain application integrity.
- Security vulnerability scans are executed with each major and minor release. Vulnerabilities flagged Critical and High are immediately addressed.
- Linux packages are updated based on vulnerability scan results (Critical, High), given that the application features continue to function properly.
- Only official Docker images are used as a base to build from.
To ensure our Docker images have all current security updates and follow Docker best practices, there is a separate testing process we follow, implemented in a CI/CD workflow. This process includes:
Our internal tool checks to see if an image build includes all current security updates available for the current version of Debian.
If an image is flagged for any known vulnerabilities reported in Dockerfile, we use another tool called Clair to run a static analysis of vulnerabilities in our application containers. Clair provides the following benefits:
- independent of Docker
- can be run locally (so third-party services cannot access internal data)
Clair server omits vulnerabilities that are marked as "no-dsa" by distribution maintainers. An issue might not require an immediate security update, e.g., if its severity level is tagged as low. These vulnerabilities are maintained in a whitelist but no action is taken to remediate.
Conversely, if there are any vulnerabilities that require an immediate security update, and a fix is available, we take immediate action to remediate.
Docker Bench for Security (DBS) is a script that checks for common best-practices when deploying Docker containers in production. Our tool runs this script against a built image (via an automated test). We then check the results from the DBS scan and compare them with predefined report values in a DBS dictionary. If there are any non-matching values, we take action to address the discrepancy.