Docker workshop app with critical vulnerabilities

[MikeMcC399]

Is this a docs issue?

• My issue is about the documentation content or website

Type of issue

Other

Description

As already reported in issue

• 120 app vulnerabilities in example getting-started-app#93

Following the instructions in https://docs.docker.com/get-started/workshop/ leads to building an image with multiple vulnerabilities, including 3 critical ones.

Location

https://docs.docker.com/get-started/workshop/

Suggestion

Review the instructions sourced from https://github.com/docker/docs/edit/main/content/get-started/workshop and consider updating or replacing the app source https://github.com/docker/getting-started-app

Steps to reproduce

git clone https://github.com/docker/getting-started-app.git
cd getting-started-app
cat > Dockerfile <<EOT
# syntax=docker/dockerfile:1

FROM node:lts-alpine
WORKDIR /app
COPY . .
RUN yarn install --production
CMD ["node", "src/index.js"]
EXPOSE 3000
EOT
docker build -t getting-started .

In Docker Desktop select Images, then for the getting-started image, select "View packages and CVEs" in three-dot menu.
Select "Start analysis"

[admin-space]

Thanks for raising this. The concern here is valid and worth addressing.

While the Getting Started workshop is clearly intended for educational purposes, the current instructions lead beginners to build an image that contains multiple HIGH and CRITICAL CVEs without any warning or context. For many users, especially those new to Docker, “official documentation” is implicitly trusted and often reused as a baseline for real projects.

The problem is not that vulnerabilities exist (they inevitably will), but that:

• insecure defaults are normalized,
• no disclaimer is provided,
• and no secure alternative is demonstrated.

A minimal improvement could be:

• adding a short warning that the image is not production-ready and may contain known CVEs.

A better improvement would be:

• providing an optional “security-aware” Dockerfile (e.g., multi-stage + distroless),
• or updating/replacing the demo app with dependencies that are actively maintained.

This would significantly improve security education without increasing the learning curve for beginners.