You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
https://github.com/project-copacetic/copacetic is a CNCF sandbox project for a CLI tool for directly patching container images with support for multiple package managers (apt, apk, yum, etc), and distroless images. This can be set up for build time and recurringly with any cadence to automate patching.
Would maintainers be interested in integration or contribution for an integration?
We currently depend on nvidia/cuda base images across all our components, and often lag on addressing CVEs since these have not been updated or released yet. Using something like the tools you describe to patch these images before consuming them in our projects would be useful.
I have not yet looked into the tooling in detail, but do you have a link on examples for how to automate this in github actions, for example? Note that our images are generally multi-arch images. Do the tools you mention support these too, or would we have to create the multi-arch manifest from the constituent parts after the fact?
Looks like DRA driver patches CVEs using a conditional in Dockerfile to run package manager tooling
https://github.com/NVIDIA/k8s-dra-driver/blob/main/deployments/container/Dockerfile.ubuntu#L54-L60
https://github.com/NVIDIA/k8s-dra-driver/blob/main/deployments/container/Dockerfile.ubi8#L54-L59
https://github.com/project-copacetic/copacetic is a CNCF sandbox project for a CLI tool for directly patching container images with support for multiple package managers (apt, apk, yum, etc), and distroless images. This can be set up for build time and recurringly with any cadence to automate patching.
Would maintainers be interested in integration or contribution for an integration?
@elezar
The text was updated successfully, but these errors were encountered: