Meltano

Hi everyone! We have tested meltano as a POC and would like to move forward in a prod deploy. We're using the latest docker image `meltano/meltano:v1.105.0` but our security team found some critical and high vulnerabilities. Our policy is that docker images with high and/or critical vulnerabilities can't be deployed in a prod environment. Is there a plan to fix those vulnerabilities?

Hey Tomas! What tool did your team use to find those vulnerabilities? Also, if you have a list you can share that’d be helpful as we’d definitely like to address them. cc <@U06CBKL5W7L>

<@U06CC5F08QK> - At <@U069EPD13KN> mentions, it would be helpful to make sure we can repro the test results on our side. Also would be helpful to break the known vulnerabilities into three categories:

1. Meltano python install
2. Base docker image
3. Other software installed to the image in our default scripts
If the primary concerns are 2+3, in the base image and/or related non-Meltano components, a custom docker image is probably a good path for stability and peace of mind for your security team.

Related: <https://github.com/meltano/meltano/issues/3203>

The tool used is `JFrog Xray`. It's the security tool that is from the same vendor of Artifactory.

Super helpful. We're reviewing as a team and <@U06C5L36YDC> from our side will log an issue to dive deeper on this.

If you need a quick path forward, the issue I linked above does recommend a different base image which is slimmer and therefor may have fewer of these issues. (We'll still be researching on our end but wanted to propose this in case it's helpful.)

Logged as <https://github.com/meltano/meltano/issues/6062>

There're other challenges on the policies we have if we try to modify the image ourselves.

<@U06CC5F08QK> - Makes sense. Thanks for that info.

Can you add a quick comment there in the issue <@U06C5L36YDC> logged? This will allow us to ping you directly on github.