can Seqera Containers / Wave use a minimal-CVE base OS image?
closed
F
Flamingo pink Python
The containers generated by https://seqera.io/containers/ and the wave cli seem to be based on the Docker OS base image 'mambaorg/micromamba:1.5.8-lunar'
I am wondering if its possible to use a base image that has minimal CVE's such as Wolfi https://edu.chainguard.dev/open-source/wolfi/overview/ without compromising the features offered by these services?
You can check the CVE's like this;
docker run aquasec/trivy image mambaorg/micromamba:1.5.8-lunar
docker run aquasec/trivy image cgr.dev/chainguard/wolfi-base:latest
Rob Newman
closed
Closing while acknowledging the request to minimize CVEs in the base image.
Phil Ewels
Hi there,
We are not planning to change the base image used by Seqera Containers in the near future. Note that the chainguard images have a somewhat complex SLA for their image hosting (https://www.chainguard.dev/legal/software-license-agreement) and we also want to be cautious on this front regarding compatibility.
You can customise the base image used by Wave by using the
--conda-base-image
CLI flag (or equivalent config option in Nextflow / the Wave API). So you can choose anything you want with that. Note that this is different to the Seqera Containers platform that hosts community containers however.This said, security is something we take very carefully, so we are looking into how we can minimise CVEs in the images used. Thanks for flagging this!
Phil
Phil Ewels
Flamingo pink Python to clarify - we will do updates to the base image, it's just more wholesale changes I'm talking about here. In fact Paolo merged an update the micromamba version of the base image yesterday: https://github.com/seqeralabs/libseqera/pull/26
Rob Newman
Flamingo pink Python Thanks for the feature request. Our Wave team is looking into the feasibility of this. One note: the Chainguard Academy have commercial licensing terms with respect to redistribution of images from cgr.dev that they are for development only and not production use, which may limit our ability to use them. Further info
Rob Newman
acknowledged