You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
e.g. at the moment buster-20220912-slim is available.
What happens if any vulnerability in any library, (e.g. libssl, libc or whatever) is discovered? Are you constantly monitoring for relevant security issues (e.g. scanning images), and rebuilding them using new versions in that case?
Otherwise do you suggest having builder-image-version != runner-image-version (the latest)?
e.g.: ARG BUILDER_IMAGE="hexpm/elixir:1.14.0-erlang-25.1-debian-buster-20220801-slim" ARG RUNNER_IMAGE="debian:buster-20220912-slim"
So I would love to hear any comment about security policy for docker images if they can be safely used in production.
The text was updated successfully, but these errors were encountered:
Yes, you should definitely use different builder and runner images, if nothing else to keep the runner image small.
We don't have any automatic monitoring for security issues. We rely on the community to help us keep the images up to date. You can also add RUN apt update && apt upgrade to your dockerfile to update to the latest package versions.
It looks like that OS images are hard coded here: https://github.com/hexpm/bob/blob/main/lib/bob/job/docker_checker.ex#L5 but they are not clearly the latest version:
e.g. at the moment
buster-20220912-slim
is available.What happens if any vulnerability in any library, (e.g. libssl, libc or whatever) is discovered? Are you constantly monitoring for relevant security issues (e.g. scanning images), and rebuilding them using new versions in that case?
Otherwise do you suggest having builder-image-version != runner-image-version (the latest)?
e.g.:
ARG BUILDER_IMAGE="hexpm/elixir:1.14.0-erlang-25.1-debian-buster-20220801-slim"
ARG RUNNER_IMAGE="debian:buster-20220912-slim"
So I would love to hear any comment about security policy for docker images if they can be safely used in production.
The text was updated successfully, but these errors were encountered: