The node image is built on top of one of the buildpack- deps images. The Docker buildpack-deps are a collection of common build dependencies used for installing various modules and widely used as a base image for building other images. [https://snyk.io/blog/the-top-two-most-popular-docker-base-images-each-have-over-500-vulnerabilities/](https://snyk.io/blog/the-top-two-most-popular-docker-base-images-each-have-over-500-vulnerabilities/)
This is part of a more complete Shifting Docker security left report at [https://snyk.io/blog/shifting-docker-security-left/](https://snyk.io/blog/shifting-docker-security-left/)
This is a bit of old fear mongering I’ve seen before. The vast majority of these vulnerabilities deal with a user inside a container gaining more privileges inside the same container. Yes, container OSs aren’t super secure. They aren’t intended to be. Your images are infact not runnning “inside” those OSs. Your container executables run inside your kernel. Their OSs are simply files/tools that your container executable has acccess to.
Use a distroless build for node?
Is there a technical reason they don’t have a yum/apt update line in the dockerfiles? I can only guess it’s dependency issues.
As another commenter mentioned, a lot of these vulnerabilities are simply minor things and many times non-applicable. But I will tell you what the true security issue with docker is, and that is many, many people are just using any and all docker image from docker hub that works for them. When I need a container as a base for production, I fork the underlying repo and set it to auto-build on my public docker hub. I then use that image rather than the original because if anyone compromised the account of the image creator, and you update your image, you have no idea what code you could be pulling into your system.
I just noticed recently that several of my containers (that have only been there for less than 6 months) had thousands and thousand of downloads. And an update on one of them broke a few things and people opened issues asking for help because the update broke their implementation.
A couple of lines of code in any of these repos could easily push it out to thousands of systems and turn them into botnets if I wanted – or if my account was compromised and a hacker wanted to.
People just aren’t vetting these containers at all, just like people aren’t vetting NPM dependencies. I’m surprised we haven’t heard of more issues caused by compromised popular containers. Imagine if someone compromised the credentials for one of the “official” repos like alpine or another linux distro.