Docker Image With 47 CVEs
Security audit found our production container had 47 known vulnerabilities. 12 were critical.
How it happened:
- Base image:
node:14(not pinned) - Image built 18 months ago
- Never rebuilt
- No vulnerability scanning
- Full Debian base (1.2GB image)
The CVE breakdown:
- 12 Critical (remote code execution)
- 18 High (privilege escalation)
- 17 Medium
- All in base image packages we didn't use
What we fixed:
- Moved to
node:22-alpine(~130MB vs 1.2GB) — Node 22 is the active LTS line; note that jumping major Node versions is a real migration (OpenSSL 3, removed APIs), not just a base-image swap, and it cost us a sprint of testing - Added Trivy scanning to CI pipeline
- Block deploys with critical/high CVEs
- Weekly automated image rebuilds
- Pinned base image versions
Result: Zero critical/high findings at scan time, and roughly 90% smaller images. New CVEs keep landing between rebuilds — that's exactly what the weekly rebuild and the CI gate are for.
Lesson: If you're not scanning your containers, assume they're vulnerable. Container image hygiene is one of the first controls we implement in SecOps engagements because it's cheap, automatable, and closes real attack surface.