Security audit found our production container had 47 known vulnerabilities. 12 were critical.

How it happened:

  • Base image: node:14 (not pinned)
  • Image built 18 months ago
  • Never rebuilt
  • No vulnerability scanning
  • Full Debian base (1.2GB image)

The CVE breakdown:

  • 12 Critical (remote code execution)
  • 18 High (privilege escalation)
  • 17 Medium
  • All in base image packages we didn't use

What we fixed:

  • Switched to node:20-alpine (50MB vs 1.2GB)
  • Added Trivy scanning to CI pipeline
  • Block deploys with critical/high CVEs
  • Weekly automated image rebuilds
  • Pinned base image versions

Result: 47 CVEs → 0. Image size reduced by 96%.

Lesson: If you're not scanning your containers, assume they're vulnerable.

← Back to Lessons Learned

Tags: #Docker #Security #Vulnerabilities #Containers