Container Vulnerability Management
Critical fixable vulnerabilities block publication. High findings follow the approved risk policy and remediation SLA. --ignore-unfixed may reduce unactionable noise, but teams still monitor severe unfixed issues and reassess when fixes become available.
First determine whether the vulnerability comes from the base OS, language dependency, or unused build tooling. Multi-stage builds often remove scanner findings by excluding compilers and test packages from runtime. Do not blindly upgrade unrelated packages inside the Dockerfile; update the authoritative base or dependency lock and test compatibility.
Exceptions include exploitability context, affected component, compensating control, owner, expiry, and planned fix. A permanent ignore file is prohibited.