Why Your Docker Images Are Bloated and Vulnerable – A Hands‑On Scan Reveals 358 Flaws

This article unexpectedly topped Hacker News and sparked a lively discussion, prompting the author to summarize key observations about container image security and bloat.

Vulnerability scanners often generate many false positives; some findings can be fixed upstream, while others are irrelevant to specific architectures.

Official base images on Docker Hub are rarely updated, shifting the OS patching burden from operators to developers.

Many developers are unaware of this shift, leading to debates about adding RUN apt-get update && apt-get -y upgrade to Dockerfiles, which can cause non‑reproducible builds and other risks.

Alpine images are not always ideal because musl libc can be slower and some libraries lack builds for that platform.

Scanning Official Python Image

Docker’s built‑in scan uses the third‑party tool Snyk Container. Scanning a simple Flask app based on python:3.9 produced 358 vulnerabilities (54 high, 48 medium) across 431 tested dependencies.

# latest stable at the time
FROM python:3.9

RUN pip install Flask

COPY server.py server.py

ENV FLASK_APP=server.py
ENV FLASK_RUN_PORT=5000
ENV FLASK_RUN_HOST=0.0.0.0

EXPOSE 5000

CMD ["flask", "run"]

Scanning Slim Python Image

Switching to python:3.9-slim reduced the scan to 69 vulnerabilities (14 high, 8 medium) out of 94 dependencies.

FROM python:3.9-slim

RUN pip install Flask

COPY server.py server.py

ENV FLASK_APP=server.py
ENV FLASK_RUN_PORT=5000
ENV FLASK_RUN_HOST=0.0.0.0

EXPOSE 5000

CMD ["flask", "run"]

Scanning Alpine Python Image

Using python:3.9-alpine yielded zero known vulnerabilities after scanning 37 dependencies.

FROM python:3.9-alpine

RUN pip install Flask

COPY server.py server.py

ENV FLASK_APP=server.py
ENV FLASK_RUN_PORT=5000
ENV FLASK_RUN_HOST=0.0.0.0

EXPOSE 5000

CMD ["flask", "run"]

Scanning Non‑Release Python Image

The author built a “distroless” Python image (gcr.io/distroless/python3) using a multi‑stage build to avoid a full OS layer. Scanning this image found 37 vulnerabilities (6 high, 8 medium), a ~90% reduction compared with the default python:3.9 image.

# Build image
FROM python:3.7-slim AS build-env

RUN python -m pip install Flask

# Runtime image
FROM gcr.io/distroless/python3

COPY --from=build-env /usr/local/bin/flask /usr/local/bin/flask
COPY --from=build-env /usr/local/lib/python3.7/site-packages /usr/local/lib/python3.7/site-packages

WORKDIR /app

COPY server.py server.py

ENV PYTHONPATH=/usr/local/lib/python3.7/site-packages
ENV FLASK_APP=server.py
ENV FLASK_RUN_PORT=5000
ENV FLASK_RUN_HOST=0.0.0.0

EXPOSE 5000

CMD ["/usr/local/bin/flask", "run"]

Scanning Go Scratch Image

A minimal Go image built from scratch contained no vulnerable paths, demonstrating that eliminating the distro layer can dramatically lower attack surface.

FROM scratch

COPY hello /
CMD ["/hello"]

Conclusion

Bloated images usually stem from using default, feature‑rich base images or adding extra tools for debugging. Smaller images not only speed up builds and reduce storage/network usage but also improve security by minimizing the number of packages and potential vulnerabilities. Modern debugging features like Kubernetes’ temporary‑container injection can help avoid the need for heavyweight base images.