This repo generates a container image that maximizes the number of CVEs in the image, while minimizing the size of the image.

$ grype ghcr.io/chainguard-dev/maxcve/maxcve 1> /dev/null
   ├── ✔ Packages                        [48,215 packages]
   └── ✔ Executables                     [0 executables]
 ✔ Scanned for vulnerabilities     [290565 vulnerability matches]
   ├── by severity: 5968 critical, 50545 high, 38097 medium, 1390 low, 0 negligible (194565 unknown)
   └── by status:   282221 fixed, 8344 not-fixed, 0 ignored

(As of March 28, 2024)

Or, if you prefer to consume data visually:

Zero negligible vulns, nice!

Real minimal base image for scale

go run . ttl.sh/maxcve

To minimize size, the image doesn't actually contain any packages. In fact, it only contains two files:

1. /etc/os-release, which tells scanners the image is a Wolfi image.
2. /lib/apk/db/installed, which tells scanners what packages the image contains -- i.e., that it contains every version of every package that Wolfi has ever produced.

Wolfi aims to reduce the number of vulnerable packages by producing new fixed packages as soon as possible. But, along the way, it also produces lots and lots of packages, and those packages over time do have vulnerabilities discovered in them. This image claims to contain all of them.

Amusingly, it takes about 500ms to build and push the image, and almost two minutes to scan it.

Aside from being fun, this image demonstrates how scanners work -- and importantly, how they don't work.

At their most basic, scanners require images (1) tell them what OS they are, and (2) tell them what packages they contain. This image does both, but it does so in a way that is misleading.

For a similar (but opposite) demonstration of this, see Malicious Compliance: Reflections on Trusting Container Scanners. In that talk, they mislead the scanner into finding fewer CVEs in the presence of vulnerable packages. In this demonstration, we mislead the scanner into finding vulnerabilities without installing any packages.