▲ 2 r/AskNetsec
Why are freshly rebuilt container images still showing old CVEs?
we have a nightly pipeline that rebuilds all our container images from scratch. fresh apt-get update, fresh npm install, the whole thing.
every morning we scan the new images. same CVEs. same packages. same versions. nothing changes.
turned out the rebuild wasn’t the issue. the base image is pinned to an old digest, so even though the Dockerfile says ubuntu:22.04, it keeps pulling the same underlying layers.
devs don’t want to touch it because “it works.” security keeps flagging the same vulns every day. stuck in a loop.
how are you keeping base images fresh without breaking builds every time something upstream changes?
u/Alone_Bread5045 — 3 days ago