Fixing Vulnerabilities in Docker Images

1 min read Security Testing & Tools

Fixing Vulnerabilities in Docker Images

Apply scanning results to create more secure Docker images:

# Original vulnerable Dockerfile
FROM ubuntu:20.04
RUN apt-get update && apt-get install -y \
    curl \
    nginx \
    python3-pip
COPY requirements.txt .
RUN pip3 install -r requirements.txt
COPY app.py .
CMD ["python3", "app.py"]

# Improved Dockerfile after scanning
FROM ubuntu:22.04 AS builder
# Update and patch in builder stage
RUN apt-get update && apt-get upgrade -y && \
    apt-get install -y --no-install-recommends \
    curl=7.81.0-1ubuntu1.13 \
    python3-pip=22.0.2+dfsg-1ubuntu0.3 && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

COPY requirements.txt .
RUN pip3 install --no-cache-dir -r requirements.txt

FROM ubuntu:22.04
# Minimal runtime image
RUN apt-get update && apt-get upgrade -y && \
    apt-get install -y --no-install-recommends \
    python3-minimal=3.10.6-1~22.04 && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* && \
    useradd -r -u 1001 appuser

COPY --from=builder /usr/local/lib/python3.10/dist-packages /usr/local/lib/python3.10/dist-packages
COPY --chown=appuser:appuser app.py .

USER appuser
CMD ["python3", "app.py"]