Base debian image is date by Aug 24 which is old for our security scans.

[pekhota]

We are using FROM shinsenter/laravel:latest

And we have some system-level security checks running. Those checks indicate that the Docker image itself is not up to date, meaning it may contain vulnerabilities, etc. I have checked the image built today, and this is what I see:

root@container:/var/www/html# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

root@container# ls -l /etc | grep os-release
lrwxrwxrwx.  1 root root      21 Aug 24 16:05 os-release -> ../usr/lib/os-release

root@container:/var/www/html# stat /etc/os-release
  File: /etc/os-release -> ../usr/lib/os-release
  Size: 21              Blocks: 0          IO Block: 4096   symbolic link
Device: 0,201   Inode: 29553258    Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-08-24 16:05:00.000000000 +0000
Modify: 2025-08-24 16:05:00.000000000 +0000
Change: 2025-11-10 14:53:38.721563172 +0000
 Birth: 2025-11-10 14:53:38.721563172 +0000

The information above shows that our Laravel image is based on a Debian Bookworm build from August 2025. Is it possible to refresh that and keep it up to date all the time?

[shinsenter]

@pekhota

Thanks for the info.

My Docker images are built on top of the official PHP images' latest tags, so I basically don't modify the PHP or OS versions from the base images.

I'll keep looking into how to update the OS core to the latest version possible.

[shinsenter]

@pekhota

After checking the official debian:bookworm image, it doesn't seem to differ between the timestamp you posted earlier and the latest version.

> docker pull debian:bookworm
> docker run -it debian:bookworm stat /etc/os-release
  File: /etc/os-release -> ../usr/lib/os-release
  Size: 21        	Blocks: 0          IO Block: 4096   symbolic link
Device: 0,62	Inode: 23919       Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-08-24 16:05:00.000000000 +0000
Modify: 2025-08-24 16:05:00.000000000 +0000
Change: 2025-11-21 14:09:38.182237011 +0000
 Birth: 2025-11-21 14:09:38.182237011 +0000

I don't think checking a file's timestamp is a reliable way to judge system-level security. That said, I'll always try to keep the OS and middleware as up to date as possible.

Best regards.

[pekhota]

You are right. Seems like nothing we can do atm. Thank you. Let's close it for now.