nats scratch container image

[migmartri]

Name and Version

bitnami/nats

What is the problem this feature will solve?

SCA tools like Trivy tools return vulnerabilities in the Debian-based Bitnami image that could be stripped out if you could offer a scratch-based nats image.

I know that probably most of those CVEs do not affect the image, and we could use VEX to communicate with our users that the image is not affected by those vulnerabilities. However, the reality is that VEX adoption is not there yet for them, and they'd rather have a clean slate of 0 vulnerabilities.

What is the feature you are proposing to solve the problem?

scratch-based bitnami container image compatible with current chart configuration and relocation capabilities.

What alternatives have you considered?

Other providers and official nats container images (alpine, wolfi, and scratch)

[carrodher]

Thank you for your feedback and for sharing your use case regarding scratch-based container images. We understand the challenges tools like Trivy present when scanning Debian-based images, especially when vulnerabilities are flagged that don’t directly affect the image’s functionality or security. We regularly update our images with the latest system packages; however, certain CVEs may persist until they are patched in the OS or application. Additionally, some CVEs remain unfixed due to the absence of available patches. In vulnerability scanners like Trivy, you can use the --ignore-unfixed flag to ignore such CVEs. You can learn more about our CVE policy here.

Having said that, at the moment, we are actively reviewing our container image offerings, including assessing the trade-offs between achieving "0-CVEs" and maintaining usability and flexibility for our users. Moving certain images to scratch-based images, as you suggest, is one of the options we're evaluating to meet these goals.

We will keep you posted if NATS is refactored at some point to get rid of the underlying distro.

[migmartri]

Thank you for your feedback and for sharing your use case regarding scratch-based container images. We understand the challenges tools like Trivy present when scanning Debian-based images, especially when vulnerabilities are flagged that don’t directly affect the image’s functionality or security. We regularly update our images with the latest system packages; however, certain CVEs may persist until they are patched in the OS or application. Additionally, some CVEs remain unfixed due to the absence of available patches. In vulnerability scanners like Trivy, you can use the --ignore-unfixed flag to ignore such CVEs. You can learn more about our CVE policy here.

Having said that, at the moment, we are actively reviewing our container image offerings, including assessing the trade-offs between achieving "0-CVEs" and maintaining usability and flexibility for our users. Moving certain images to scratch-based images, as you suggest, is one of the options we're evaluating to meet these goals.

We will keep you posted if NATS is refactored at some point to get rid of the underlying distro.

Thanks for the response @carrodher, looking forward to knowing more.