Skip to main content

Surface the Problem

Surface the Problemโ€‹

Before we fix anything, let's measure exactly what's wrong with the starting image. After the setup patch, our Dockerfile starts with:

FROM node:18 AS base

node:18 is a full, unoptimised image - and it's where most teams start by default. Let's see what that costs us.

Quick vulnerability overviewโ€‹

docker scout quickview catalog-service --org <YOUR_ORG>

You'll see something like this:

Target โ”‚ catalog-service:latest โ”‚ 2C 26H 25M 122L 4?
digest โ”‚ 360db4f00cbd โ”‚
Base image โ”‚ node:18 โ”‚ 2C 26H 25M 122L 4?
Updated base image โ”‚ node:25-slim โ”‚ 0C 1H 2M 24L
โ”‚ โ”‚ -2 -25 -23 -98 -4

Scout is already pointing at the answer: one FROM line change from node:18 to node:25-slim would eliminate 2 critical and 25 high CVEs immediately.

Policy evaluationโ€‹

Scout doesn't just count CVEs - it evaluates your image against a set of organisational policies:

docker scout policy catalog-service --org <YOUR_ORG>
Policy status FAILED (4/7 policies met)

Status โ”‚ Policy โ”‚ Results
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
โœ“ โ”‚ Default non-root user โ”‚
! โ”‚ AGPL v3 licenses found โ”‚ 3 packages
! โ”‚ Fixable critical or high vulnerabilities found โ”‚ 2C 26H 0M 0L
โœ“ โ”‚ No high-profile vulnerabilities โ”‚
โœ“ โ”‚ No outdated base images โ”‚
! โ”‚ Unapproved base images found โ”‚ 1 deviation
โœ“ โ”‚ Supply chain attestations โ”‚ 0 deviations

4/7 policies failing. This is the reactive "scan and fix" cycle most teams know all too well:

  1. Developers pull a base image, build, ship
  2. CI scanner finds 2 critical and 26 high CVEs
  3. Developers spend 3 days researching fixes
  4. Rebuild - 189 vulnerabilities still remain
  5. Cycle repeats; security blocks deployment

The next 8 sections walk through fixing this proactively, one best practice at a time - and then migrating to DHI to eliminate the cycle altogether.