Skip to main content
Common Vulnerabilities and Exposures (CVEs) are publicly disclosed security issues with unique identifiers. Container images often inherit CVEs from their base distributions and dependencies.

RamaLama’s approach

  • Distroless, minimal images to reduce attack surface
  • Frequent rebuilds to incorporate upstream fixes
  • Least-privilege defaults: rootless, no new privileges, dropped capabilities
  • No network by default when running models (--network=none)

How to scan images

Use popular scanners locally to audit the specific image/tag you deploy: 
# Example scanners (install separately)
grype quay.io/ramalama/ramalama:latest
trivy image quay.io/ramalama/cuda:latest
Results from different scanners can vary. Focus on:
  • Severity and exploitability
  • Whether the component is even present in the runtime path
  • Availability of fixes and planned update cadence

Keeping risk low

  • Pin specific image versions and update regularly
  • Avoid granting elevated privileges to runtime pods/containers
  • Prefer CPU-only images on nodes without GPUs
  • Use SBOMs (see next page) to verify what’s inside
If you need help interpreting scan results for RamaLama images, open an issue on GitHub.