Back to Details

os-vulnerability-fix

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

OS Vulnerability Fix Skill

OS漏洞修复Skill

Description

描述

This skill remediates OS and base-image vulnerabilities in Docker-hosted applications.
It analyzes provided scan findings, evaluates safer base-image candidates, applies Dockerfile or image-tag updates when safe, rebuilds and rescans, and produces an OS-focused remediation report.
Application dependency remediation is out of scope for this skill and must be documented as out-of-scope in the report.
本Skill用于修复Docker托管应用中的OS及基础镜像漏洞。
它会分析提供的扫描结果,评估更安全的基础镜像候选,在安全的情况下应用Dockerfile或镜像标签更新,重新构建并重新扫描,最后生成一份聚焦于操作系统的漏洞修复报告。
应用依赖项的修复不在本Skill的范围内,必须在报告中注明为超出范围的内容。

When to Use

使用场景

Use this skill when the user asks to:
  • Fix OS-level CVEs in container images.
  • Reduce base-image vulnerabilities.
  • Compare current and candidate base images.
  • Update Docker FROM images to safer compatible tags.
  • Produce an OS vulnerability remediation report.
当用户提出以下需求时使用本Skill:
  • 修复容器镜像中的操作系统级CVE漏洞。
  • 减少基础镜像的漏洞数量。
  • 对比当前基础镜像与候选基础镜像。
  • 将Docker FROM镜像更新为更安全的兼容标签。
  • 生成操作系统漏洞修复报告。

Inputs

输入

Expected inputs may include:
  • Vulnerability scan report or CVE list.
  • Dockerfile.
  • Docker Compose files.
  • Kubernetes manifests.
  • Existing scanner output (Docker Scout, Trivy, Grype, Snyk, or similar).
  • Build and runtime validation instructions.
预期输入可能包括:
  • 漏洞扫描报告或CVE列表。
  • Dockerfile。
  • Docker Compose文件。
  • Kubernetes清单文件。
  • 现有扫描器输出结果(Docker Scout、Trivy、Grype、Snyk或类似工具)。
  • 构建及运行时验证说明。

Outputs

输出

This skill produces:
  • Applied OS/base-image fixes where safe and feasible.
  • Updated Dockerfile or container image references.
  • Baseline and final scan comparison evidence.
  • Validation results.
  • An OS vulnerability remediation report.
本Skill会生成以下内容:
  • 在安全可行的情况下应用OS/基础镜像修复。
  • 更新后的Dockerfile或容器镜像引用。
  • 基线扫描与最终扫描的对比证据。
  • 验证结果。
  • 一份操作系统漏洞修复报告。

Scope Rules

范围规则

  • In scope: Linux distro packages, system libraries, shell utilities, and base-image layer CVEs.
  • Out of scope: application and language-ecosystem dependency upgrades.
  • If non-OS findings are present, list them as out-of-scope follow-up items.
  • 范围内:Linux发行版包、系统库、Shell工具及基础镜像层的CVE漏洞。
  • 范围外:应用及语言生态依赖项的升级。
  • 如果存在非OS类漏洞发现,需将其列为超出范围的后续跟进项。

Core Principle

核心原则

Use Docker Hub API for candidate discovery and Docker Scout (or approved scanner) for vulnerability evidence.
Do not treat Docker Hub tag metadata as proof that CVEs are fixed. A CVE is only considered fixed after final scan evidence confirms absence or a non-vulnerable installed package version.
使用Docker Hub API进行候选镜像发现,使用Docker Scout(或已批准的扫描器)获取漏洞证据。
不要将Docker Hub标签元数据视为CVE已修复的证明。只有在最终扫描证据确认漏洞不存在或已安装非易受攻击的软件包版本后,才可认为CVE已修复。

Process

流程

Step 1: Classify and Baseline

步骤1:分类与基线建立

Classify each finding as 
os_base_image
, 
non_os_out_of_scope
, or 
unknown_manual_review
.
Scan the current image to establish a baseline:
bash
TS=$(date +%Y%m%d%H%M%S)
docker build -t app-current:scan-$TS .
docker scout cves --only-base --format sarif --output scout-current.sarif.json app-current:scan-$TS
docker scout recommendations app-current:scan-$TS
Registry variant: use 
registry://IMAGE:TAG
instead of a local tag.
将每个漏洞发现分类为
os_base_image
non_os_out_of_scope
unknown_manual_review
扫描当前镜像以建立基线:
bash
TS=$(date +%Y%m%d%H%M%S)
docker build -t app-current:scan-$TS .
docker scout cves --only-base --format sarif --output scout-current.sarif.json app-current:scan-$TS
docker scout recommendations app-current:scan-$TS
镜像仓库变体:使用
registry://IMAGE:TAG
替代本地标签。

Step 2: Evaluate and Select Candidate

步骤2:评估与选择候选镜像

Inspect Dockerfile FROM lines, discover compatible tags with Docker Hub API, scan candidates, and select the safest compatible base image.
bash
undefined
检查Dockerfile中的FROM行,通过Docker Hub API发现兼容标签,扫描候选镜像,选择最安全的兼容基础镜像。
bash
undefined

Discover tags (adjust namespace/repo/prefix for the actual base image)

发现标签(根据实际基础镜像调整命名空间/仓库/前缀)

curl -s "https://hub.docker.com/v2/namespaces/library/repositories/eclipse-temurin/tags?page_size=100"
| jq -r '.results[] | select(.name | startswith("17-jre")) | [.name, .last_updated] | @tsv'
curl -s "https://hub.docker.com/v2/namespaces/library/repositories/eclipse-temurin/tags?page_size=100"
| jq -r '.results[] | select(.name | startswith("17-jre")) | [.name, .last_updated] | @tsv'

Scan candidate

扫描候选镜像

docker scout cves --only-base --platform linux/amd64 registry://eclipse-temurin:17-jre-jammy docker scout recommendations registry://eclipse-temurin:17-jre-jammy

Prefer: same runtime version, fewer critical/high CVEs, official/trusted publisher, supported OS, no new critical CVEs introduced.

Avoid: `latest`, EOL images, untrusted publishers, major runtime jumps without evidence.
docker scout cves --only-base --platform linux/amd64 registry://eclipse-temurin:17-jre-jammy docker scout recommendations registry://eclipse-temurin:17-jre-jammy

优先选择:相同运行时版本、严重/高危CVE更少、官方/可信发布者、受支持的操作系统、未引入新的严重CVE的镜像。

避免选择:`latest`标签、已终止支持(EOL)的镜像、不可信发布者的镜像、无证据支持的大版本运行时跳跃。

Step 3: Apply Fix, Rebuild, and Rescan

步骤3:应用修复、重新构建与重新扫描

Update the Dockerfile FROM line, rebuild, and run the final scan:
bash
TS=$(date +%Y%m%d%H%M%S)
docker build -t app-os-fixed:scan-$TS .
docker scout cves --only-base --format sarif --output scout-final.sarif.json app-os-fixed:scan-$TS
Assign each original OS finding one status based on baseline vs final comparison:
ConditionStatus
Absent in final scanfixed
Present, fixed version existsfix_available_not_applied
Present, no fixed versionno_fix_available
Remains after fix attemptstill_vulnerable
Appears only after fixnewly_introduced
Ambiguous evidencemanual_review_required
更新Dockerfile中的FROM行,重新构建并运行最终扫描:
bash
TS=$(date +%Y%m%d%H%M%S)
docker build -t app-os-fixed:scan-$TS .
docker scout cves --only-base --format sarif --output scout-final.sarif.json app-os-fixed:scan-$TS
根据基线扫描与最终扫描的对比,为每个原始OS漏洞发现分配一个状态:
条件状态
最终扫描中不存在fixed
仍存在,但有可用修复版本fix_available_not_applied
仍存在,无可用修复版本no_fix_available
尝试修复后仍存在still_vulnerable
修复后新出现newly_introduced
证据不明确manual_review_required

Step 4: Generate Report

步骤4:生成报告

Produce an OS-focused remediation report using the template in references.
使用参考资料中的模板生成聚焦于操作系统的漏洞修复报告。

Report Template

报告模板

Use os-vulnerability-remediation-report-template.md.
使用os-vulnerability-remediation-report-template.md

Safety Requirements

安全要求

This skill must not:
  • Disable or suppress scanner findings without evidence.
  • Use latest blindly.
  • Upgrade to unsupported or EOL base images.
  • Claim a CVE is fixed without scan/version evidence.
  • Modify dependency manifests or lockfiles for application package upgrades.
  • Modify unrelated application logic unless required for runtime compatibility.
本Skill不得:
  • 无证据地禁用或压制扫描器发现的漏洞。
  • 盲目使用
    latest
    标签。
  • 升级到不受支持或已终止支持(EOL)的基础镜像。
  • 无扫描/版本证据地宣称CVE已修复。
  • 修改依赖清单或锁定文件以升级应用包。
  • 修改无关的应用逻辑,除非运行时兼容性要求必须修改。

Completion Criteria

完成标准

Task is complete when:
  1. Safe OS/base-image fixes are applied where feasible.
  2. Docker image is rebuilt.
  3. Final scanner evidence is captured, or inability is documented.
  4. Report includes fixed, remaining, no-fix, manual-review, and newly introduced OS findings.
  5. Out-of-scope non-OS findings are explicitly listed for follow-up.
满足以下条件时任务完成:
  1. 已在可行的情况下应用安全的OS/基础镜像修复。
  2. Docker镜像已重新构建。
  3. 已捕获最终扫描证据,或已记录无法完成的原因。
  4. 报告包含已修复、剩余、无可用修复、需人工审核及新引入的OS漏洞发现。
  5. 已明确列出超出范围的非OS漏洞发现以供后续跟进。