Docker Images Security¶
We use docker in production and for our on-premises package. We are implementing the following measures to make sure that our deployments are secure.
Docker, Inc. sponsors a dedicated team that is responsible for reviewing and publishing all content in the Official Images. This team works in collaboration with upstream software maintainers, security experts, and the broader Docker community. This team ensures security updates are applied in a timely manner.
Trusted, minimal images¶
We build our backend container image from a trusted, minimal base
This image does not contain the common packages contained in the default tag and only contains the minimal packages needed to run python. We only pull the packages that we need. We install our connectors to external data systems sparingly and on demand in order to minimize attack surface.
Toucan Toco has optional features allowing to create PDFs or take screenshots of elements of the Toucan Toco UI. This is done in specific containers running for each customer instances with no port exposed.
This image is built on
node:<verison>-slim and uses Chrome.
Image static scanning¶
We implement image scanning and analysis as part of our backend CI/CD pipeline. We use Clair to do this. Our Clair instance CVE database is updated every five minutes.
Some of our on-premises customers are using Docker Security Scanning rather than Clair. We know the results of scans with different tools can be different. If your tooling is picking vulnerabilities that we have not seen, please contact us with the information of the layer and version of problematic binary and we will help you to assess the severity of the situation and potentially fix it.
If you run scans on our image you need to know that they will initially find some binaries marked as “vulnerable”. CVEs are attached to libraries and programs but their impact is evaluated and mitigated differently by different distributions and maintainers. In some cases a high severity vulnerability can be marked as a minor issue in a given distribution because it can only be exploited on other distributions and images (for further details about this you should refer to this Docker Official image FAQ entry).
For this reason, we maintain a whitelist of the CVEs that we know are not relevant in our context (Debian userland) and should not be taken into account in security assessments. The veracity of the information in this list can always be double checked using the Debian security tracker information, and we encourage your team to do so.
At this time, we are not running scans on the node + Chrome image used internally in features depending on rendering parts of the app to PDF and images.