Skip to content

Analyze and remediate Docker image vulnerabilities from April 8, 2026 scan #428

Description

@josecelano

Overview

Analyze and remediate Docker image vulnerabilities reported in the April 8, 2026 scan, processing images sequentially (one image at a time) and applying easy fixes first (image upgrades, dependency reductions, patch-level updates), while documenting unresolved cases with follow-up issues.

Specification

See detailed specification: docs/issues/428-docker-vulnerability-analysis-apr8-2026.md

(Link will be updated after issue number is assigned and specification file is renamed)

🏗️ Architecture Requirements

DDD Layer: Infrastructure
Module Path: build/deployment artifacts (Dockerfiles, templates, docs)
Pattern: Sequential remediation workflow (analyze -> remediate -> verify -> document)

Module Structure Requirements

Architectural Constraints

  • No business logic in presentation layer
  • Error handling follows project conventions (see docs/contributing/error-handling.md)
  • Testing strategy aligns with layer responsibilities

Anti-Patterns to Avoid

  • ❌ Mixing concerns across layers
  • ❌ Domain layer depending on infrastructure
  • ❌ Monolithic modules with multiple responsibilities

Implementation Plan

Phase 1: Per-image workflow setup

  • Confirm sequential rule: complete one image before starting the next
  • Keep progress checklists updated in specification

Phase 2: Repeat remediation cycle per image

  • Analyze findings and classify false positives vs actionable CVEs
  • Apply easy fixes where possible
  • Rebuild, re-scan, and verify behavior
  • Update scan docs with result and rationale

Phase 3: Handle unresolved cases

  • Open focused follow-up issues for unresolved vulnerabilities
  • Document trade-offs and mitigation strategy

Acceptance Criteria

Note for Contributors: These criteria define what the PR reviewer will check. Use this as your pre-review checklist before submitting the PR to minimize back-and-forth iterations.

Quality Checks:

  • Pre-commit checks pass: ./scripts/pre-commit.sh

Task-Specific Criteria:

  • All 8 target images processed sequentially with checklist updates
  • Easy remediations implemented and verified where possible
  • Scan documentation updated with post-remediation state
  • Remaining unresolved items tracked in follow-up issues

Related

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions