This repository contains a tiny Flask app, a Dockerfile, a Jenkinsfile, and a deployment.yaml so you can build and scan a container image and document High/Critical CVEs.
Steps to reproduce locally
- Build the image:
docker build -t docker-security:latest .- Scan the image with Docker Scan (Snyk) or Trivy:
docker scan docker-security:latest
# or if you prefer Trivy (install it first):
trivy image docker-security:latest- Note any High or Critical CVEs found. Recommended fixes are typically:
- update base image (e.g., use a newer
python:3.11-slim) - pin & upgrade dependencies to safe versions in
requirements.txt - remove unnecessary packages and use multi-stage builds where possible
What to include in the final report
- Screenshots of scan results showing any High/Critical findings
- A short remediation section listing fixes applied (base image bump, package upgrades)
- Updated
Dockerfileorrequirements.txtif changes were needed
Latest scan performed on: November 2, 2025
Total vulnerabilities found: 53
- CRITICAL: 0
- HIGH: 0
- MEDIUM: 2 (1 in SQLite3, 1 in pip)
- LOW: 51 (mostly in base system packages)
-
Python Package Vulnerabilities:
- pip (MEDIUM): CVE-2025-8869 - Missing checks on symbolic link extraction
- Current version: 24.0
- Fixed in: 25.3
- pip (MEDIUM): CVE-2025-8869 - Missing checks on symbolic link extraction
-
Base Image (debian:13.1) Vulnerabilities:
- All found vulnerabilities are LOW severity
- Most are in system libraries that cannot be easily upgraded without breaking compatibility
-
Already implemented:
- Using Python 3.11-slim base image (reduced attack surface)
- Running as non-root user (mitigation against container breakout)
- Using latest Flask version (3.1.2)
- Cleaning pip cache after installation
-
Additional recommended fixes:
# In Dockerfile, upgrade pip to fix CVE-2025-8869 RUN python -m pip install --upgrade pip==25.3
-
Base Image Security:
- Using official Python slim image
- Running latest stable Python 3.11
-
Runtime Security:
- Non-root user execution
- Minimal installed packages
- No development tools in final image
-
Build Process:
- No cache directories
- Separate build stages for dependencies
- Proper file permissions
The current image has no HIGH or CRITICAL vulnerabilities. The single MEDIUM vulnerability in pip:
- Requires local access to exploit
- Only impacts pip during package installation (not during runtime)
- Can be fixed by upgrading pip to 25.3
The LOW severity OS-level vulnerabilities:
- Are common in most Debian-based images
- Have minimal real-world impact
- Many are theoretical or require local access
- Upgrade pip to version 25.3 to resolve the MEDIUM severity issue
- Consider using multi-stage builds to further reduce the image size
- Implement regular automated scanning in CI/CD (already configured in Jenkinsfile)
- Monitor for new vulnerabilities and update dependencies regularly
This repository includes a Jenkinsfile (declarative pipeline). The pipeline will:
- Build the Docker image (
docker build -t docker-security:latest .) - Run the container (
docker run -d --name docker-security -p 8080:8080 docker-security:latest) - Perform a smoke test by curling
http://localhost:8080 - Print container logs and clean up the container after the run
- Install Jenkins with Docker permissions (Jenkins must be able to run Docker on the host). If using the Docker-in-Docker approach or the Docker socket, ensure the Jenkins agent has access to Docker CLI and daemon.
- In Jenkins, create a new item -> "Pipeline".
- Under Pipeline configuration, select "Pipeline script from SCM" and choose Git, then provide the repository URL and branch.
- Set the script path to
Jenkinsfile(default). - Save and run the job. The pipeline will execute the steps in the
Jenkinsfile.
- Build stage: screenshot the Jenkins "Build" stage console output showing successful
docker buildcompletion. - Run / Smoke test: screenshot the console output showing the
curloutput (should show the app response) or the successfulPerforming smoke test (HTTP)step. - Container output: after the run, open a browser to
http://<jenkins-host>:8080(orhttp://localhost:8080if running Jenkins on your machine) and capture a screenshot of the app response.
Note: If Jenkins runs on a different host than where Docker runs, ensure port 8080 is reachable from your browser or use the Jenkins agent machine to run the container and then use
curlfrom the agent to validate.
You can verify the pipeline steps locally before configuring Jenkins with these commands:
# Build locally
cd <repo-root>
docker build -t docker-security:latest .
# Run locally
docker run -d --name docker-security -p 8080:8080 docker-security:latest
# Check container output
curl http://localhost:8080
# Stop and remove
docker rm -f docker-security- After a successful Jenkins build, open the Jenkins job and click the build number, then click "Console Output". Use the Snipping Tool/Win+Shift+S to capture the console showing the successful
docker buildandcurloutput. - To capture the running app, open a browser to
http://localhost:8080(or your Jenkins host IP + port) and take a screenshot of the response. - Save screenshots into the repo (e.g.,
docs/screenshots/jenkins-build.pnganddocs/screenshots/app-output.png) and commit them.
Suggested quick remediations (apply before or after scanning)
- Bump base image to a newer patch/major (example:
python:3.11-slim) to pick up OS-level fixes. - Upgrade Python dependencies in
requirements.txt, e.g. use a supported Flask version (e.g.Flask>=2.1.0or newer) and re-run scans. - Minimize installed packages and enable
--no-cache-dir(already used) and consider multi-stage builds for compiled deps.
After you run the scan locally, paste High/Critical CVE output (and screenshots) below and update this file with the applied fixes and the commit that fixed them.