cortex icon indicating copy to clipboard operation
cortex copied to clipboard
verified publisher icon cortexproject

Expose which CVEs are present in every image

Open friedrichg opened this issue 2 years ago • 2 comments

Describe the bug Cortex uses alpine as the base image. This image tends to have a number of CVEs associated, not related directly to cortex

Expected behavior It should be possible for users/maintainers to check which CVEs are present in each release (at least)

Additional Context The community should be aware of https://github.com/cortexproject/cortex/issues/5155 as quick as possible

friedrichg avatar Apr 24 '23 09:04 friedrichg

In https://quay.io/repository/cortexproject/cortex?tab=tags there is a column of the result of security scan; not sure if it's enough though. I wonder if GitHub has feature to expose image scan result as a badge.

alvinlin123 avatar May 12 '23 19:05 alvinlin123

@alvinlin123 I think if we link that somewhere in the docs we should be covered.

On a related thought, we might also switch to https://github.com/GoogleContainerTools/distroless and simplify our lifes

friedrichg avatar May 23 '23 14:05 friedrichg