Hi @bdun1013

Do you have some research that actually show that alpine has fewer vulnerabilities? and in any case, we already look for security issues on the images now.

Regards,

Here's output from CVE scanning both Debian and Alpine based Postgres images with Trivy (https://github.com/aquasecurity/trivy)

❯ podman run docker.io/aquasec/trivy image postgres:16.2-bullseye

postgres:16.2-bullseye (debian 11.9)
====================================
Total: 195 (UNKNOWN: 12, LOW: 121, MEDIUM: 32, HIGH: 28, CRITICAL: 2)

❯ podman run docker.io/aquasec/trivy image postgres:16.2-alpine

postgres:16.2-alpine (alpine 3.19.1)
====================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

We would also like Alpine based images very very much.

Even more if you scan it against the official cloudnative-pg image...

ghcr.io/cloudnative-pg/postgresql:16.2-6 (debian 11.9)
======================================================
Total: 273 (UNKNOWN: 12, LOW: 143, MEDIUM: 55, HIGH: 57, CRITICAL: 6)

Those images are out of support and aren't supposed to be used anymore, closing

@sxd Where did you see the images are out of support ? I can't find any hint about this. There are up to date images generated on the upstream based on alpine. Would be really great if we could use them with cnpg.

@mungo312 https://github.com/cloudnative-pg/postgres-containers/?tab=readme-ov-file#system-images