Thought your Node.js latest Docker image was safe?

author_profile
Jan Schulte
Thursday, Oct 12th, 2023

For all developers who run containerized JavaScript workloads in production: Is relying on node:latest as your base image a safe choice? It's effective from a developer productivity standpoint as you're up and running quickly. Have you ever wondered if the image is secure?

This blog post examines the potential security implications of using node:latest as your base image.

Scan node:latest for vulnerabilities

We want to determine if node:latest is vulnerable, and if so, to what extent. To see some results quickly, we'll use the grype command line scanning tool:

grype node:latest
Animation of Grype Docker image scan, narrowing down search results by critical 2023 CVEs

As you can see in the animation, the output is pervasive. What it comes down to, are the following lines:

➜ grype node:latest
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                   node:latest
 ✔ Parsed image                                                       sha256:7828fdf71577e0d266f905d26d27e46ac418ac2fa8fc05a78ad01c8811b7abb6
 ✔ Cataloged packages              [683 packages]
 ✔ Scanned for vulnerabilities     [770 vulnerability matches]
   ├── by severity: 3 critical, 59 high, 230 medium, 30 low, 430 negligible (18 unknown)
   └── by status:   56 fixed, 714 not-fixed, 0 ignored

The default image contains 770 vulnerabilities. How would you ship something so vulnerable into production?

Let's look closer to see what exactly grype found and what we need to address.

Managing vulnerabilities

Seeing the above output does not feel great. Does that mean you shouldn't rely on this image?
No. Instead, it is an opportunity to investigate deeper and make conscious decisions about using this image.

The report outlines four hundred thirty reported issues as negligible, meaning their impact on overall security does not have a significant effect, if at all. What matters more is the number of high and critical findings. Depending on the vulnerability, an attacker can easily leverage it to access the system or worse. We also want to keep an eye on the number of fixed packages. This number indicates how many vulnerabilities have a fix available we can easily apply. While it may be challenging to reach zero vulnerabilities, we can work proactively toward it to reduce the number as much as possible. A good starting point, in this case, is to run apt-get update && apt-get upgrade -y as part of the image-building process, perhaps even in a base image.

Keeping tabs on vulnerabilities

Doing a one-off scan is excellent for understanding a specific image version's overall state of security. What's the next step? Ideally, you want to see which images are most affected by security vulnerabilities without running a one-off scan first. As developers push new image versions, image repositories need to get scanned continuously. Also, we want to understand how many images and currently active workloads are affected whenever a new critical CVE surfaces. Panoptica excels in both use cases.

If you're using Amazon AWS (the same applies to Google Cloud Platform and Microsoft Azure), you can connect to Panoptica to gain additional security insights.

Panoptica Docker image list view, showing vulnerabilities for node:latest

The screenshot above shows a Node.js base image hosted on AWS ECR. Panoptica automatically scans ECR repositories in connected accounts to provide vulnerability insights. At a glance, you can see the number of found vulnerabilities, categorized by severity.

As we drill down, we get information on the most critical CVEs:

Instead of asking each team to enhance their CI/CD pipeline to add vulnerability scanning, with Panoptica, you get data automatically. It saves you time and nerves as you can check data immediately, for instance, when a new CVE hits the news. From the view above it is also straightforward to share important information with others, as you can forward a link to a colleague or create a ticket (e.g. Jira or ServiceNow) right away.

What's next?

It is feasible to rely on the node Docker image. Yet, instead of directly deploying an image into production, adopt the habit of scanning it first. The more insight you have, the better. Once the next critical CVE is on the news, with Panoptica, you immediately see if you're affected in any way. Just because it's latest does not automatically mean it is secure. Use Panoptica's data to ship patched versions or build a smaller base image with a smaller package footprint. Interested in image scanning and other security features? Sign up for Panoptica today.

Popup Image