Skip to content

Evaluation of Docker Base Image Security

In the Center for Internet Security (CIS) Docker Benchmark v1.2.0, one of the recommendations says, "4.3 Ensure that unnecessary packages are not installed in the container."

It further states, "You should consider using a minimal base image rather than the standard Red Hat/CentOS/Debian images if you can. Some of the options available include BusyBox and Alpine."

The following sections present security aspects of different Linux distributions compared to Alpine Docker image. This doesn't necessarily mean that one is the best for Docker base images. Other factors, such as usability and compatibility, should also be considered when choosing the most suitable Docker image for an organization.

Evaluation overview

To evaluate Alpine’s security, we compared it with the following popular Linux distributions: Ubuntu, CentOS, and Red Hat Enterprise Linux 7.

For this comparison, we used the latest version, as of March 12, 2020, of each distribution’s Docker image and compared them in four different categories:

  • Image size
  • Number of packages installed by default
  • Number of historical vulnerabilities reported on cvedetails.com
  • Number of vulnerabilities reported by the Clair scan

The following table summarizes the numbers for each distribution.

Alpine Ubuntu CentOS RHEL7
Image Version alpine:3.11.3 ubuntu:18.04 centos:centos8.1.1911 rhel7:7.7-481
Image Size 5.59MB 64.2MB 237MB 205MB
Number of Packages Installed 14 89 173 162
Number of Historical CVE*s 2 2007 2 662
Number of Vulnerabilities Reported by Clair 0 32 7 0

*CVE - Common Vulnerabilities and Exposures

Image size

Alpine has an advantage in image size. Although smaller size doesn’t directly translate into better security, the smaller size does mean less code packed into the image, which means smaller attack surface.

Number of packages installed

Because of Alpine's smaller size, Alpine has the fewest packages out of box. Fewer packages means lesser chance of having vulnerabilities in the dependencies, which is a plus for security.

Number of historical CVEs

Alpine and CentOS both rank highest in number of historical CVEs even though CentOS has a close relationship with RHEL7, and RHEL7 has 600+ reported vulnerabilities.

Number of vulnerabilities reported by Clair

Some vulnerabilities reported by Clair might not be real issues, but their presence does mean extra overhead for developers or security teams to triage these findings. This overhead can be avoided if unnecessary dependencies are excluded from the image in the first place.

Final evaluation results

Although none of the four categories is perfect on its own for evaluating the security of a Linux distribution, in combination, Alpine presents greater advantages for use, which is why we selected it as the disribution for all of our Docker images.

References

Ping Identity's Docker Image Hardening Guide

For best practices for securing your product Docker image, see Ping Identity's Hardening Guide.