Security of Docker Images¶
We use Docker in production and for our self-hosted package. We are implementing the following measures to make sure that our deployments are secure.
Docker, Inc. sponsors a dedicated team that is responsible for reviewing and publishing all content in the Official Images. This team works in collaboration with upstream software maintainers, security experts, and the broader Docker community. This team ensures security updates are applied in a timely manner.
Trusted, Minimal Images¶
We build our backend container image from a trusted, minimal base
This image does not contain the common packages contained in the default tag and only contains the minimal packages needed to run python. We only pull the packages that we need. We install our connectors to external data systems sparingly and on demand in order to minimize attack surface.
We build our frontend container image from a trusted, minimal base
This image does not contain the common packages contained in the default tag and only contains the minimal packages needed to run nginx. We only copy Toucan Toco’s frontend files (cf CSS, JS, HTML).
Toucan Toco has optional features allowing creation of PDFs or taking screenshots of elements of the Toucan Toco UI. This is done in specific containers running for each customer instance with no exposed port.
This image is built on
node:<version>-slim and uses Chrome.
Static Image Scanning¶
We implement image scanning and analysis as part of our backend CI/CD pipeline. We use Clair to do this. Our Clair instance CVE database is updated every five minutes.
Some of our self-hosted customers are using Docker Security Scanning rather than Clair. We know the results of scans with different tools can be different. If your tooling is picking out vulnerabilities that we have not seen, please contact us with information on the layer and version of the problematic binary and we will help you to assess the severity of the situation and on how to potentially fix it.
If you run scans on our image you need to know that they will initially find some binaries marked as “vulnerable”. CVEs are attached to libraries and programs but their impact is evaluated and mitigated differently by different distributions and maintainers. In some cases a high severity vulnerability can be marked as a minor issue in a given distribution because it can only be exploited on other distributions and images (for further details about this you should refer to this Docker Official image FAQ entry).
For this reason, we maintain a backend and frontend whitelist of the CVEs that we know are not relevant in our context (Debian userland) and should not be taken into account in security assessments. The veracity of the information in this list can always be double checked using the Debian security tracker information, and we encourage your team to do so.
At this time, we are not running scans on the node + Chrome image used in optional features depending on rendering parts of the app to PDF and images.