Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ramalama.com/llms.txt

Use this file to discover all available pages before exploring further.

Common Vulnerabilities and Exposures (CVEs) are publicly disclosed security issues with unique identifiers. Container images often inherit CVEs from their base distributions and dependencies.

RamaLama’s approach

  • Distroless, minimal images to reduce attack surface
  • Frequent rebuilds to incorporate upstream fixes
  • Least-privilege defaults: rootless, no new privileges, dropped capabilities
  • No network by default when running models (--network=none)

How to scan images

Use popular scanners locally to audit the specific image/tag you deploy: 
# Example scanners (install separately)
grype quay.io/ramalama/ramalama:latest
trivy image quay.io/ramalama/cuda:latest
Results from different scanners can vary. Focus on:
  • Severity and exploitability
  • Whether the component is even present in the runtime path
  • Availability of fixes and planned update cadence

Keeping risk low

  • Pin specific image versions and update regularly
  • Avoid granting elevated privileges to runtime pods/containers
  • Prefer CPU-only images on nodes without GPUs
  • Use SBOMs (see next page) to verify what’s inside
If you need help interpreting scan results for RamaLama images, open an issue on GitHub.