Q: how vulnerabilities are handled in Debian images?

[bettio]

It looks like that OS images are hard coded here: https://github.com/hexpm/bob/blob/main/lib/bob/job/docker_checker.ex#L5 but they are not clearly the latest version:

    "ubuntu" => [
      "jammy-20220428",
      "focal-20211006",
      "bionic-20210930",
      "xenial-20210804",
      "trusty-20191217"
    ],
    "debian" => [
      "bullseye-20220801",
      "buster-20220801",
      "bullseye-20220801-slim",
      "buster-20220801-slim"
    ]

e.g. at the moment buster-20220912-slim is available.

What happens if any vulnerability in any library, (e.g. libssl, libc or whatever) is discovered? Are you constantly monitoring for relevant security issues (e.g. scanning images), and rebuilding them using new versions in that case?

Otherwise do you suggest having builder-image-version != runner-image-version (the latest)?
e.g.:
ARG BUILDER_IMAGE="hexpm/elixir:1.14.0-erlang-25.1-debian-buster-20220801-slim"
ARG RUNNER_IMAGE="debian:buster-20220912-slim"

So I would love to hear any comment about security policy for docker images if they can be safely used in production.

[ericmj]

Yes, you should definitely use different builder and runner images, if nothing else to keep the runner image small.

We don't have any automatic monitoring for security issues. We rely on the community to help us keep the images up to date. You can also add RUN apt update && apt upgrade to your dockerfile to update to the latest package versions.