Security of Docker Images

We use Docker in production and for our on-premises package. We are implementing the following measures to make sure that our deployments are secure.

Trusted Repository

We use a single image repository (Docker Hub). On this repository, we use official images for MongoDB, Redis and Nginx.

Docker, Inc. sponsors a dedicated team that is responsible for reviewing and publishing all content in the Official Images. This team works in collaboration with upstream software maintainers, security experts, and the broader Docker community. This team ensures security updates are applied in a timely manner.

Trusted, Minimal Images

Backend

We build our backend container image from a trusted, minimal base image : python:<version>-slim

This image does not contain the common packages contained in the default tag and only contains the minimal packages needed to run python. We only pull the packages that we need. We install our connectors to external data systems sparingly and on demand in order to minimize attack surface.

Frontend

We build our frontend container image from a trusted, minimal base image : nginx:<version>-alpine

This image does not contain the common packages contained in the default tag and only contains the minimal packages needed to run nginx. We only copy Toucan Toco’s frontend files (cf CSS, JS, HTML).

Rendering

Toucan Toco has optional features allowing creation of PDFs or taking screenshots of elements of the Toucan Toco UI. This is done in specific containers running for each customer instance with no exposed port.

This image is built on node:<verison>-slim and uses Chrome.

Static Image Scanning

We implement image scanning and analysis as part of our backend CI/CD pipeline. We use Clair to do this. Our Clair instance CVE database is updated every five minutes.

Some of our on-premises customers are using Docker Security Scanning rather than Clair. We know the results of scans with different tools can be different. If your tooling is picking out vulnerabilities that we have not seen, please contact us with information on the layer and version of the problematic binary and we will help you to assess the severity of the situation and on how to potentially fix it.

If you run scans on our image you need to know that they will initially find some binaries marked as “vulnerable”. CVEs are attached to libraries and programs but their impact is evaluated and mitigated differently by different distributions and maintainers. In some cases a high severity vulnerability can be marked as a minor issue in a given distribution because it can only be exploited on other distributions and images (for further details about this you should refer to this Docker Official image FAQ entry).

For this reason, we maintain a whitelist of the CVEs that we know are not relevant in our context (Debian userland) and should not be taken into account in security assessments. The veracity of the information in this list can always be double checked using the Debian security tracker information, and we encourage your team to do so.

At this time, we are not running scans on the node + Chrome image used in optional features depending on rendering parts of the app to PDF and images.

Image validation policy

We maintain a physical separation between our build environnement and our production repository. Our images are built and scanned on our CI/CD infrastructure and are not pushed to our image repository if we find new vulnerabilities. As a result we cannot deploy images with new vulnerabilities in production.

Summary

docker security and push workflow

docker security and push workflow