The Nginx base image has a lot of security problems

[fmotrifork]

I have been looking in to switching my Nginx that uss modsecurity and CRS over to this official image.

Using the Trivy docker image scanner we get the following summary for the nginx image used as base:

$ trivy nginx:1.17.9
2020-04-16T08:26:11.391+0200    INFO    Detecting Debian vulnerabilities...

nginx:1.17.9 (debian 10.3)
==========================
Total: 116 (UNKNOWN: 0, LOW: 19, MEDIUM: 82, HIGH: 13, CRITICAL: 2)

If we instead switch over and use the alpine version of the same image, we get the following:

$ trivy nginx:1.17.9-alpine
2020-04-16T08:28:03.984+0200    INFO    Detecting Alpine vulnerabilities...

nginx:1.17.9-alpine (alpine 3.10.4)
===================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

Not perfect, but much better.

As a nice side effect we also get a much smaller image:

nginx:1.17.9         size: 127MB
nginx:1.17.9-alpine  size: 19.7MB

[bittner]

A bit of historical background, to make you understand the different images:

• Last year the decision was taken to use the official web proxy image as a basis and drop the distro-specific images, going forward (summed up in Consolidate development of Docker images #32 (comment)).
• This is almost exclusively for maintenance reasons, with the mid-term plan to increase image quality (and security).
• We have made some progress in this repo and in modsecurity-crs-docker, but we're by no means finished with our maintenance (process) improvements.

If you have specific suggestions on how to fix the issue you raised, please submit a PR. This is highly appreciated. – Thanks!

[fmotrifork]

Hi @bittner

It looks like you are all making good progress.

My first proposal was also to keep using the official web images for nginx, but switch over and use the official image based on alpine Linux (very small, stable and secure linux, used in many docker images) instead of using the other official image based on Debian.

I will try to send some PRs to help improve what I can.

Best Regards

[jithurjacob]

I would recommend switching over to alpine if it's possible. The default images are based on Debian and scanners find a lot of vulnerabilities(false positives included) even in weekly scans. We got tired of maintanance and made the switch to alpine.

[fzipi]

I'm creating a new set of images based on Alpine. Still not ready to merge, but will be soon hopefully.

[fzipi]

@jithurjacob You can find the new alpine based images on docker hub now. Please review and comment.