Surface the Problem
Surface the Problemโ
Before we fix anything, let's measure exactly what's wrong with the starting image. After the setup patch, our Dockerfile starts with:
FROM node:18 AS base
node:18 is a full, unoptimised image - and it's where most teams start by default. Let's see what that costs us.
Quick vulnerability overviewโ
docker scout quickview catalog-service --org <YOUR_ORG>
You'll see something like this:
Target โ catalog-service:latest โ 2C 26H 25M 122L 4?
digest โ 360db4f00cbd โ
Base image โ node:18 โ 2C 26H 25M 122L 4?
Updated base image โ node:25-slim โ 0C 1H 2M 24L
โ โ -2 -25 -23 -98 -4
Scout is already pointing at the answer: one FROM line change from node:18 to node:25-slim would eliminate 2 critical and 25 high CVEs immediately.
Policy evaluationโ
Scout doesn't just count CVEs - it evaluates your image against a set of organisational policies:
docker scout policy catalog-service --org <YOUR_ORG>
Policy status FAILED (4/7 policies met)
Status โ Policy โ Results
โโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ Default non-root user โ
! โ AGPL v3 licenses found โ 3 packages
! โ Fixable critical or high vulnerabilities found โ 2C 26H 0M 0L
โ โ No high-profile vulnerabilities โ
โ โ No outdated base images โ
! โ Unapproved base images found โ 1 deviation
โ โ Supply chain attestations โ 0 deviations
4/7 policies failing. This is the reactive "scan and fix" cycle most teams know all too well:
- Developers pull a base image, build, ship
- CI scanner finds 2 critical and 26 high CVEs
- Developers spend 3 days researching fixes
- Rebuild - 189 vulnerabilities still remain
- Cycle repeats; security blocks deployment
The next 8 sections walk through fixing this proactively, one best practice at a time - and then migrating to DHI to eliminate the cycle altogether.