Running Trivy on the FORCE Docker image results in many complaints (~800) about security vulnerabilities in the packages installed in the image. At the time of filing this issue, there are only CVEs of severity medium or lower, but 2 weeks ago there was a CVE of high severity (CVE-2025-37899 on the linux-libc-dev package).
Security scanners tend to be noisy so I don't think it's reasonable to aim for getting the number to 0, but I think it would be possible to eliminate hundreds of complaints by things that are comparatively low effort, for example:
- removing packages that aren't required from the base image
- passing
--no-install-recommends to apt-get
- building FORCE in a build container with the development dependencies installed and copying the binaries into the "production" container without development dependencies
This list is by no means exhaustive, these were just the examples I could think of off the top of my head.
Beyond the reduced noise from security scanners, this would also result in smaller Docker images for FORCE.
Running Trivy on the FORCE Docker image results in many complaints (~800) about security vulnerabilities in the packages installed in the image. At the time of filing this issue, there are only CVEs of severity medium or lower, but 2 weeks ago there was a CVE of high severity (CVE-2025-37899 on the linux-libc-dev package).
Security scanners tend to be noisy so I don't think it's reasonable to aim for getting the number to 0, but I think it would be possible to eliminate hundreds of complaints by things that are comparatively low effort, for example:
--no-install-recommendstoapt-getThis list is by no means exhaustive, these were just the examples I could think of off the top of my head.
Beyond the reduced noise from security scanners, this would also result in smaller Docker images for FORCE.