federacy reports “24% of the latest Docker images have significant vulnerabilities“.
The Report underlines the importance of running your own image building service and your own local registry when deploying Docker and Kubernetes.
And that includes the base operating system images, because the test above focused on latest images of official docker images of base operating system images, and known vulnerabilities in it. It lists last years vulnerabilities still being present in current images.
In their own words:
[…] we decided to put our technology to work to answer a key question: what is the current state of vulnerabilities in official Docker repositories?
[…] On February 6th, we scanned 91 of the 133 official Docker repositories. This is every repository with a ‘latest’ tagged image consisting of a major linux distribution and a functional package manager.
It also underlines that looking into images, and reporting versions of things you build on using Container technology is really important for a functional compliance and security management strategy. Packaging, Package Managers and useful versioning of stuff does not go away at all with Containers.