We are excited to announce an enhancement to the security reporting for all Bitnami images: Bitnami Secure Images are now correctly and fully scanned by Anchore’s open source project Grype analysis tools. You can read about it here.
This crucial integration means that when you use Anchore’s suite of security analysis tools on any official Bitnami container or VM image, the reported Common Vulnerabilities and Exposures (CVE) data will be the most accurate reflection of our commitment to delivering hardened, production-ready images.
Why This Matters: Improving the accuracy of CVE scan results
Historically, security scanning tools often report a high number of CVEs in open source components even if the vulnerability has already been patched or mitigated within the underlying operating system or base image. This “noise” is particularly prevalent in container images where multiple layers contribute to the final image.
Bitnami’s core philosophy is to create hardened images by tracking and ensuring that only the most up to date operating system versions are being used including any patches and upgrades before the application components are added. However in the case of our purpose-built-for-container distro PhotonOS, standard analysis often struggled to correctly attribute these upstream mitigations.
With this improvement, users of Bitnami Secure Images will notice an immediate improvement to security scans findings when they use PhotonOS based images. This results in:
- Accurate Vulnerability Reporting: Grype and other Anchore tools will now report CVE data that most accurately reflects the patches and mitigations already applied by Bitnami, significantly reducing false positives.
- Clearer Security Posture: You can have complete confidence that the CVE data generated truly represents the remaining, unaddressed risk in the image.
- Simplified Compliance: Streamlining security reporting makes it easier to meet internal and regulatory compliance requirements related to software supply chain security. SBOM reports will better reflect the components inside Bitnami images.
Bitnami’s Commitment to the Open Source Supply Chain
This improved scanning compatibility is a direct reflection of our dedication to protecting the open source supply chain. By ensuring that our security posture is transparently and accurately reported by leading third-party tools like Anchore, we empower our users to:
- Reduce Alert Fatigue: Spend less time triaging false positive vulnerability reports.
- Focus on Real Risk: Direct security resources toward addressing genuine, unmitigated threats.
- Build with Confidence: Trust that the foundational components of your cloud applications are robustly secured and provably hardened.
We continue to work with security vendors across the ecosystem to ensure maximum compatibility and transparency for our users. We encourage all users leveraging Anchore tools, such as Grype for vulnerability scanning, to try scanning one of the PhotonOS based BSI Images. Your feedback is always welcome as we strive to make Bitnami the most secure and reliable source for open source applications.
