How can I check safety using trivy? and What is the next step?

[bethleekor]

Hi. I'm Jin.
Thank you for developing this useful tool for us.

I've used trivy for checking docker image vulnerabilities. (I'm newbie in trivy)
I'm curious about how can I make my decision as to which images are safe or not? using options checking critical/high issues?

For example, when I run gitlab-ce (https://hub.docker.com/r/gitlab/gitlab-ce)
$ trivy image --severity HIGH,CRITICAL gitlab/gitlab-ce:14.7.3-ce.0

Some part of the results is like below.

In this case, is this image safe? if not, what are the next steps?
How can I use this report?
May I ask to update the version to gitlab?

Thank you for your help

Best,
Jin

[knqyf263]

It would be better if you evaluate those vulnerabilities since it may be lower severity in your system. The severity is defined in terms of technical severity of vulnerability. It doesn't mean how big the impact will be in your system.
https://www.balbix.com/blog/5-reasons-to-stop-using-cvss-scores-to-measure-risk/#:~:text=The%20problem%20is%20that%20CVSS,as%20a%20risk%20prioritization%20mechanism.

If you think it should be resolved, you can ask GitLab to update the image or look for alternatives.