-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is this image meet any security benchmark #1754
Comments
The .NET images do not have any security benchmarks applied. Are you aware if this is a practice applied to any of the Official Images on Docker Hub? |
I don't think so. Many images, for better or worse, are in a much much worse position. For example, see docker-library/openjdk#320 which links to this email:
|
|
I don't actually know what "security benchmark" means. If it means, "are they scanned", the answer is "yes". We would very much like to post the results, but don't currently. The challenge is that they are scanned by a team in another part of Microsoft that doesn't have an automatic export capability of the results that we can publish. We have asked for this. Stepping back, we should define what security scanners do and the value they provide you as a user. Also, if I have any of this wrong, I'd like to be corrected.
Now, let's talk about the practices we use for producing container images.
So, as it relates to .NET Core images that rely on Linux distro images, the leading edge of .NET Core digests (that our tags point to) are always up to date. Then, there is the unique code that we ship (.NET Core). By the definition I provided above on how security scanners work, .NET Core never has security vulnerabilities in it. How so? We release fixes for AND disclose vulnerabilities together. This happens on most patch tuesdays (second tuesday of the month). That leads to an outcome where .NET Core images are always up-to-date as it relates to both the Linux distro, higher-level packages (like openssl) and .NET Core. As it relates to Linux, there may still be disclosed vulnerabilities in the latest images. Based on a previous analysis we did, this is frequently the case. There is nothing we can do about that. We recommend that you choose Alpine if you care deeply about this topic. In addition, we recommend running containers with least privilege (not as root). We are in the process of writing guidance that covers some of that scenario. We also recommend you do one of the following:
Also, I highly doubt that this problem is specific to containers. I would imagine that an unpatched vulnerability in Debian, for example, would be unpatched in both the latest container and latest ISO or VHD (for VMs). We have been asked this general question many times. There is no great answer. I hope that helps. I'm also happy to talk about it further. ¯\(ツ)/¯ |
Looks like my reply was on the wrong topic. Ooops! Security benchmarks are new for me. We haven't targeted those before. They seems more like something that a user of our images would reason about. Our only goal is to not make images worse than what we pull from Debian, for example. Is that a fair model? |
As Rich eluded to we feel this is something that would make more sense for users of the .NET Core to do against the images they build on top of the .NET Core images. Closing. |
We are using this image.Please let me know any security benchmark (policy) applied in this image.
The text was updated successfully, but these errors were encountered: