When building and deploying Azure Container Apps (ACA), the images specified in the dockerfile (or the base debian OS image that Microsoft uses) seem to carry security issues for periods of time. As an example, given:
FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
# trimmed for brevity...
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "myapp.dll"]
Microsoft Defender for Cloud marks the image in the registry with a high vulnerability even though it looks like the update was accepted into the stable-security branch on 5/31/23.
Defender marks an image I built yesterday (with the above dockerfile) as still having this vulnerability. So my question is, How often and/or when does Azure update base images for ACA to resolve such security vulnerabilities?
UPDATE - It looks like Microsoft have not yet incorporated an updated debian image into their base.
