Maintaining Security Updates for Docker Images

To stay current with the latest security updates, Metric Insights takes the following actions:

  • Our Docker images run the latest stable release of Debian:  
    • Debian 10 "Buster" as of version 6.3.1, released December 7, 2021
  • Debian OS updates are done with each new major release of Metric Insights, approximately once a quarter. Regression tests are conducted with each new major release to maintain application integrity.
  • Security vulnerability scans are executed with each major and minor release. Vulnerabilities flagged Critical and High are immediately addressed.
  • Linux packages are updated based on vulnerability scan results (Critical, High), given that the application features continue to function properly.
  • Only official Docker images are used as a base to build from.  

To ensure our Docker images have all current security updates and follow Docker best practices, there is a separate testing process we follow, implemented in a CI/CD workflow. This process includes:  

  1. Checking for Updates
  2. Checking Vulnerability against CVE (Common Vulnerabilities and Exposures) feeds
  3. Checking Docker image using "Docker Bench for Security"

1. Checking for Updates

Our internal tool checks to see if an image build includes all current security updates available for the current version of Debian.

2. Checking Vulnerability Against CVE (Common Vulnerabilities and Exposures) Feeds

If an image is flagged for any known vulnerabilities reported in Dockerfile, we use another tool called Clair to run a static analysis of vulnerabilities in our application containers. Clair provides the following  benefits:

  • efficiency
  • independent of Docker
  • can be run locally (so third-party services cannot access internal data)

Clair server omits vulnerabilities that are marked as "no-dsa" by distribution maintainers. An issue might not require an immediate security update, e.g., if its severity level is tagged as low. These vulnerabilities are maintained in a whitelist but no action is taken to remediate.

Conversely, if there are any vulnerabilities that require an immediate security update, and a fix is available, we take immediate action to remediate.

3. Checking Docker Images Using Docker Bench for Security

Docker Bench for Security (DBS) is a script that checks for common best-practices when deploying Docker containers in production. Our tool runs this script against a built image (via an automated test). We then check the results from the DBS scan and compare them with predefined report values in a DBS dictionary. If there are any non-matching values, we take action to address the discrepancy.