In late 2025, a team deploying ClickHouse on Kubernetes hit a familiar wall: their security scanner flagged three critical vulnerabilities in the base image of a widely used database container. Despite the team's assurance that the affected packages never touched analytics workloads, the security team froze the deployment. This scenario—where a functionally perfect container gets blocked because of irrelevant CVEs—is a common hurdle in enterprise environments. But there's a practical solution: Docker Hardened Images (DHI). This article walks you through six essential points to understand how DHI can turn a blocked deployment into a production-ready setup, using ClickHouse as the case study.
1. The ClickHouse Base Image Has an Unnecessary Attack Surface
ClickHouse, the open-source columnar database known for sub-second analytical queries, is one of Docker Hub's most pulled images, exceeding 100 million pulls. Its default image prioritizes developer convenience by bundling a full OS layer (like Ubuntu) with utilities, libraries, and tools that ease initial setup. For local development and testing, this is fine. But when that same image lands in a production environment, security scanners—such as Trivy or Snyk—discover hundreds of packages, including those with known Common Vulnerabilities and Exposures (CVEs). For instance, a simple system library like libcurl might have a critical CVE even though ClickHouse never uses it. The result: an artificially bloated attack surface that triggers security alarms and delays deployments.
2. Security Scanners Don't Distinguish Between Used and Unused Packages
Enterprise security tools operate on a “zero trust” model: they flag every CVE in every package present in the image, regardless of whether the containerized application actually invokes that package. For a database like ClickHouse, which typically communicates over simple HTTP (port 8123) or native TCP (port 9000)and does not require curl, wget, or bash at runtime, this blanket scanning creates countless false positives. The security team sees a list of CVEs and, lacking context, demands remediation. They may ask for risk exceptions, but many policies require that any “critical” or “high” CVE be patched or the image be rebuilt. This friction is exacerbated when the original image maintainer did not intend it for hardened production use—they optimized for ease-of-use, not enterprise compliance.
3. Docker Hardened Images Remove Everything Except the Essential
Docker Hardened Images (DHI) are purpose-built to eliminate this problem. They strip away every operating system component that is not strictly necessary to run the application. For ClickHouse, this means removing all system utilities (e.g., apt, dpkg, dpkg), shells like bash or sh, and even the package manager itself. The resulting image contains only the ClickHouse binary, its runtime dependencies (usually glibc and a few system libraries), and a minimal filesystem. Some DHIs use scratch or alpine as a base and then copy in only the required binaries. A typical hardened image can reduce the package count from over 100 to fewer than 10, slashing the CVE surface to near zero. For example, a scanned DHI for ClickHouse might show zero critical vulnerabilities simply because nothing extraneous is present.
4. ClickHouse's Architecture Allows for a Minimal Runtime
To appreciate why DHI works so well for ClickHouse, you need to understand its architecture. ClickHouse is designed as a single, self-contained binary. It does not rely on external databases, interpreters, or complex scripting. Its layered structure includes:
- Query Layer: Listens on ports, parses SQL into AST, and optimizes the query plan.
- Execution Engine: Runs query pipelines in parallel threads, leveraging vectorized instruction sets.
- Storage Engine (MergeTree): Writes data in compressed columnar
.binfiles, using sparse indexes to skip irrelevant data. - Pluggable Storage: Supports local disk, S3, HDFS, etc.
None of these components require a shell, a package manager, or standard Unix tools. The ClickHouse binary itself handles logging, configuration, and even system-level tasks. By stripping the OS, you remove dependencies that are never executed, reducing both the attack surface and the image size. This makes DHI not only more secure but also faster to pull and deploy.
5. Implementing a DHI Workflow for ClickHouse Requires Changes in Your CI/CD
To adopt hardened images, you must adjust your build and scan pipeline. Instead of pulling the official ClickHouse image from Docker Hub, you build a custom image starting from a minimal base (e.g., scatch or distroless) and copy the ClickHouse binary from the official image or a separate build stage. Use a multi-stage Dockerfile: the first stage compiles or downloads ClickHouse; the second stage copies only the binary into an empty base. Then run your security scanner against this new image. You'll likely see a dramatic reduction in findings. For example, the team referenced at the start of this article, after switching to a hardened image, reported zero critical CVEs and immediate approval from their security team. To maintain this, automate the rebuild whenever ClickHouse releases a new version to ensure you have the latest binary.
6. Beyond ClickHouse: The Universal Principle of Minimal Containers
While this guide focuses on ClickHouse, the same approach works for many containerized applications. The core principle is: only ship what the application needs to run. Any additional package is a potential liability. Enterprises that adopt this philosophy see fewer deployment blocks, faster image scans, and simpler compliance audits. Tools like Docker Hardened Images, distroless containers, or even building from alpine with careful package selection can all help. However, for databases like ClickHouse—where performance and reliability are paramount—the minimal approach also delivers leaner images that pull faster and occupy less disk space. In a world where security scanners are increasingly aggressive, hardening your images is no longer optional; it's a prerequisite for smooth production rollouts.
Conclusion
The story of the ClickHouse deployment blocked by irrelevant CVEs is not unique. It's a daily frustration for DevOps teams in regulated industries. Docker Hardened Images provide a straightforward remedy: eliminate the noise by removing everything unnecessary. By following the steps above—understanding the CVE problem, leveraging ClickHouse's binary-centric architecture, and building a minimal image—you can transform a blocked release into a production-ready artifact. The next time your security team sees a scanner report riddled with false positives, you'll have a ready answer: “We only ship what ClickHouse actually needs.”