Security audit found our production container had 47 known vulnerabilities. 12 were critical.

How it happened:

  • Base image: node:14 (not pinned)
  • Image built 18 months ago
  • Never rebuilt
  • No vulnerability scanning
  • Full Debian base (1.2GB image)

The CVE breakdown:

  • 12 Critical (remote code execution)
  • 18 High (privilege escalation)
  • 17 Medium
  • All in base image packages we didn't use

What we fixed:

  • Moved to node:22-alpine (~130MB vs 1.2GB) — Node 22 is the active LTS line; note that jumping major Node versions is a real migration (OpenSSL 3, removed APIs), not just a base-image swap, and it cost us a sprint of testing
  • Added Trivy scanning to CI pipeline
  • Block deploys with critical/high CVEs
  • Weekly automated image rebuilds
  • Pinned base image versions

Result: Zero critical/high findings at scan time, and roughly 90% smaller images. New CVEs keep landing between rebuilds — that's exactly what the weekly rebuild and the CI gate are for.

Lesson: If you're not scanning your containers, assume they're vulnerable. Container image hygiene is one of the first controls we implement in SecOps engagements because it's cheap, automatable, and closes real attack surface.


← Back to Lessons Learned