Where to find the security hardened docker images
Is there any service that provides certified, security hardened Docker images for common platforms like Python, PHP, Node, Java, etc. with 0 major/critical CVEs.
Currently, we are using the ones from RedHat but the problem is, even If I scan the RedHat provided image with A level (means clean), through Docker trusted registry CVE database, I found at least 50 critical and more than 50 major CVEs in them; therefore, I can't establish a baseline on top of which I can scan the user added apps for CVEs and could decide to fail the security scanning test.
We need that kind of service to establish a secure image build pipeline, so that we don't start overlooking at the application level CVEs , once we fix all the CVEs in base images , or get base images in which all the CVEs are being fixed regularly then we will be able to clearly decide automatically that the CVE is due to application and stop promoting the image in the pipeline.
