The security scanner that cried wolf
If you run a security scanner on your Docker image, you might be in for a shock: often you’ll be warned of dozens of security vulnerabilities, even on the most up-to-date image.
After the third or fourth time you get this result, you’ll start tuning the security scanner out.
Eventually, you won’t pay attention to the security scanner at all—and you might end up missing a real security vulnerability that slipped through.
This is not your fault: the problem is the way many security scanners report their results.
So let’s see what they output, why it’s problematic, and how to get more useful security scanner results.
Demonstrating the problem
Let’s say I create the following Dockerfile, using the latest stable release of Debian at the time of