One of the biggest headaches for any company’s security team is dealing with vulnerabilities. Imagine a huge company running thousands of products across tons of servers, each one potentially packed with vulnerabilities just waiting to be exploited. It’s a serious daily risk, and naturally, businesses want their products to have as few vulnerabilities as possible.
At Tanzu Application Catalog, we take security seriously. We’ve put a lot of effort into building processes that help us release products with the lowest possible number of vulnerabilities, while making sure to track down and fix the critical ones. In this article, we’re going to walk you through one of the solutions we came up with to shrink our container images and cut down on the number of vulnerabilities at the same time.
Smaller is better than bigger ones
Container images packed with lots of tools are super convenient for users. They make it easy to troubleshoot issues or tweak configurations whenever needed. But the downside is that adding all those extra tools quickly increases the image size and with that, the number of potential vulnerabilities.
One of the best ways to do this is by using minimal base container images from distributions like Debian or Red Hat. By switching to these minimal container images, it’s possible to cut vulnerabilities by more than 50%. This is the strategy we’ve trusted before, and we intend to stick with it.
With that in mind, Tanzu Application Catalog now delivers Red Hat-based container images using Red Hat Universal Base Image 8 and 9 Minimal. This change helps us keep our container images lean, secure, and focused on what really matters.
What are these Minimal container images and why are they good to use?
The minimal container images are a type of image designed for applications that contain their own dependencies and the main characteristics are:
They are perfect to reduce the size of your container images and to be sure that you will have only the tools needed for your products.
Behind the scenes
Since these minimal container images only include the most essential tools, we have to carefully check each product and validate in our extended test suite to make sure all its dependencies are covered.
The change impacts over 200 applications, and one of our top priorities is making sure this transition happens seamlessly, without causing any issues for our users or customers.
Results, just show me the results
Some examples of applications using the new minimal container images:
-
Java 24
145 vulnerabilities reduced. It passed from
LOW: 173, MEDIUM: 18, HIGH: 0, CRITICAL: 0, to
LOW: 37, MEDIUM: 9, HIGH: 0, CRITICAL: 0.
-
PostgreSQL 17
146 vulnerabilities reduced. It passed from
LOW: 172, MEDIUM: 19, HIGH: 0, CRITICAL: 0, to
LOW: 35, MEDIUM: 10, HIGH: 0, CRITICAL: 0.
-
Pytorch
146 vulnerabilities reduced. It passed from
LOW: 173, MEDIUM: 18, HIGH: 0, CRITICAL: 0, to
LOW: 35, MEDIUM: 10, HIGH: 0, CRITICAL: 0.
LOW: 172, MEDIUM: 24, HIGH: 0, CRITICAL: 0, to
LOW: 35, MEDIUM: 13, HIGH: 0, CRITICAL: 0.
Looking at the results, we’re happy to see that all our Red Hat container images are now being released with significantly fewer vulnerabilities than before. It’s a win for security and peace of mind — our users don’t have to worry as much about potential security issues lurking in their container images. Happy users, happy life 🙂