Chainguard: It’s All About That Base Image
In our container-driven tech world, it’s vital that our container’s base image, the foundation we use in creating our working container images, must be as clear of bugs as possible. Chainguard, the zero-trust security company, dove into the subject of container image security in its new whitepaper “All About That Base Image.” Alas, they’ve found that some “popular base images can have hundreds of known security vulnerabilities.” This is no way to build a container!
It’s only common sense for developers to choose base container images wisely. If not, they’re in for security headaches down the line. Borrowing on the idea of technical debt, Chainguard describes these base image vulnerabilities as “security debt.”
Unfortunately, from their research all too many popular base images, which have been downloaded billions of times, come with tens or hundreds of known security vulnerabilities. That’s a lot of security debt in your image to overcome before you’ve even started building your applications!
The Process
Chainguard used GitHub code search to collect data from publicly available “Dockerfile” specifications for container images to work out which are the most popular base images. The top images are based on Alpine, Ubuntu, and Debian Linux. Other popular base images are programming language-specific apps such as Node/Javascript (node.js) and Java (OpenJDK).
They then checked out these images with well-regarded container image static analysis tools. There were trivy (0.23.0), grype (0.32.0), and Snyk (0.16.0). The worst of the images, by a wide margin, is the Debian Node 17 base image.
The report’s authors, John Speed Meyers and Zack Newman reported, “Depending on the scanner, there are either a couple hundred or closer to a thousand known vulnerabilities in this base image. This is a level of debt that would make even U.S. medical students blush.”
However, Alpine (node:17-alpine), which is designed with security as its top priority, had between zero and four vulnerabilities depending on the analysis test. This suggests that the Node base image’s vulnerabilities are within the base operating system image itself rather than Node JavaScript code.
With twenty-five to one hundred medium or low-status vulnerabilities, Debian, Red Hat Universal Base Image and Ubuntu images are roughly the same. The Alpine base image, with less than ten packages, had no known security vulnerabilities. That said, security vulnerabilities pop up every day and base images change are always changing. In other words, generally speaking, Alpine images are secure, but you can’t assume that even Alpine is secure forever.
The other base image developers can also improve the security quality of their images. As Alpine’s programmers have shown, it can be done.
Quiet Base Images
Much of the security “dirt,” Chainguard states, comes from an image’s clutter. That is those extraneous and unnecessary packages along for the ride in a base image. If your container doesn’t need a function, don’t include its package. For example, simply removing a “shell from a base image closes a potentially unnecessary access point for attackers, turning an open door into a brick wall.”
And of course, these minimal base images ought to have few or no reported vulnerabilities. This reduces the burden for everyone. Developers avoid triaging vulnerabilities. Security teams avoid making long Excel lists of vulnerabilities and remediations. Software users get secure software faster and cheaper.
Therefore, Chainguard proposes that container base image developers should work towards the creation of “quiet” base images. Such quiet base images are minimal images with few or zero reported vulnerabilities and include a software bill of materials (SBOM) and built-in digital signatures. This would be much better than our current status quo.
Besides simply making more secure images, and thus reducing security debt, these would also decrease developer workload and improve development velocity. And who doesn’t want that?
