CVEs in container image

[nissessenap]

Hi

There are currently a number of CVEs in the container and it contains a number of critical ones

• CVE-2023-45853
• CVE-2019-8457

I'm assuming these CVEs isn't an issue due to the MCP server don't use SQLlite for exmaple.

To see exactly which CVEs that exist, you can use grype for example
grype grafana/mcp-grafana:0.7.9

The problem is that the image used is very broad.

mcp-grafana/Dockerfile

Line 20 in 5ff432c

FROM debian:bullseye-slim@sha256:52927eff8153b563244f98cdc802ba97918afcdf67f9e4867cbf1f7afb3d147b

My suggestion is to either start using KO, just like we do in the grafana-operator.
But I don't know how the general MCP container gets built the same way or not compared to https://hub.docker.com/r/grafana/mcp-grafana
It looks like the mcp-publisher only gets an image

mcp-grafana/.github/workflows/docker.yml

Line 75 in 5ff432c

- name: Install dependencies

so we could probably use ko.

Or we just change it to using a small image, like distroless or chainguard (this is what ko does nowadays).

I'm willing to help out with a PR around this, but I don't want to waste my time unless you think it's a good idea.
So please provide some feedback on which way to go.

[sd2k]

Hi @nissessenap , agreed this is a good idea, happy to try out ko as well. Contributions would be very welcome, if not I'll try and get round to this in the next few days.