Description
Perform a security assessment of the linux-sysmonitor Docker image using Trivy, then harden the image by addressing identified vulnerabilities and following Docker security best practices. Document the improvements and compare security results before and after remediation.
Tasks
Acceptance Criteria
- Initial Trivy scan is completed and documented.
- Docker image is hardened using Docker security best practices.
- Base image is pinned to a specific version or digest.
- Container runs as a non-root user.
- Final image contains only required runtime dependencies.
- Vulnerability count is reduced compared to the baseline scan.
- No Critical CVEs remain, or any remaining issues are clearly documented with justification.
Commit Message
fix: harden image based on Trivy scan results (closes #16)
Why This Matters
Container security is a core DevSecOps responsibility. This exercise demonstrates how to identify, prioritize, and remediate vulnerabilities before deploying an application.
Key concepts covered include:
- Vulnerability scanning with Trivy
- CVE analysis and severity classification
- Base image hardening
- Image version pinning
- Least privilege using non-root containers
- Reducing the attack surface
- Secure container image best practices
Interview Tip: Keep your actual scan results. Being able to say something like "I reduced vulnerabilities from 14 (2 Critical, 5 High) to 3 Medium by pinning the base image, removing unnecessary packages, and running the container as a non-root user" is a strong, concrete example of improving an application's security posture during a DevOps interview.
Description
Perform a security assessment of the
linux-sysmonitorDocker image using Trivy, then harden the image by addressing identified vulnerabilities and following Docker security best practices. Document the improvements and compare security results before and after remediation.Tasks
USER appuserSECURITY.md) or your daily notes.Acceptance Criteria
Commit Message
Why This Matters
Container security is a core DevSecOps responsibility. This exercise demonstrates how to identify, prioritize, and remediate vulnerabilities before deploying an application.
Key concepts covered include: