Security triage: 87 HIGH container-scanning CVEs — remediate via base image rebuild
## Summary Triage of the project [Vulnerability Report](https://gitlab.com/gitlab-org/duo-workflow/default-docker-image/-/security/vulnerability_report/) completed on 2026-06-10. - **Total findings:** 87 - **Severity:** HIGH (all 87) - **Scanner:** Container Scanning (all 87) - **State:** DETECTED (all active; none resolved or dismissed) ## Triage outcome **No findings were dismissed.** All 87 are genuine, vendor-acknowledged CVEs with real vulnerable package versions and no false-positive flags. Dismissal was not appropriate. However, every sampled finding shares a consistent **deprioritization** profile: - **EPSS score:** 0.0 (negligible probability of exploitation in the wild) - **Known exploit:** No (not on any known-exploited list) - **Reachability:** Not applicable — Container Scanning does not provide reachability data, so it was not used as a triage signal. These are real issues that should be fixed, but none are under active exploitation, so they do not require emergency response. ## Recommended remediation The vast majority of these findings are **OS/base-image package CVEs** (kernel-headers, gnutls, openjdk, ruby/ERB, expat, libpng, python36, git-lfs, krb5-libs, libcap, binutils, etc.) across the `workflow-generic-image` and `workflow-generic-image-hardened` images. The most effective single action is to **rebuild the container images on updated base layers** and re-run the pipeline. This will pull in patched package versions and resolve most of these findings in one pass. ### Suggested steps 1. Update the base image reference(s) in the Dockerfile(s) to the latest patched tags. 2. Run `dnf update` / package upgrades during the build so userspace packages (gnutls, openjdk, ruby gems, expat, libpng, python, git-lfs, krb5-libs, libcap, binutils) pick up fixes. 3. Re-run the security pipeline and compare the new Vulnerability Report against this baseline. 4. For any findings that persist after rebuild (e.g. packages with no upstream fix yet, or `end_of_life` packages such as some kernel-headers CVEs), re-triage individually and decide on risk acceptance. ## Notable context - A large subset are **`kernel-headers`** Linux kernel CVEs. Containers do not run their own kernel, so the practical exploitability of these via the container is limited. They were **kept active** (not dismissed) but are good candidates for individual `NOT_APPLICABLE` review if the team confirms they are out of scope for this deployment. - At least one finding (CVE-2025-21927, kernel-headers) shows `Vendor Status: end_of_life`, meaning no upstream fix is expected for that package stream — these may require base-image migration rather than a package update. - Notable userspace CVE worth attention: **CVE-2026-41316** (ERB/`rubygem-psych`) is a deserialization-to-RCE issue; prioritize the Ruby gem updates in the rebuild. ## Risk acceptance note Until the rebuild lands, these remain accepted-but-tracked risks based on EPSS 0.0 and no known exploitation. No automated dismissals were performed.
issue