Here’s a scenario: You do the right thing; you choose a minimal, hardened base image (like a Bitnami Secure Image (BSI) 😉) as your app’s foundation. You run a vulnerability scan expecting a clean bill of health, but instead, you get a massive wall of false positives. What gives? The culprit is your scanner failing to recognize the security patches the upstream maintainers applied behind the scenes.
This disconnect is a frustrating reality for teams trying to do “the right thing”. We’ve always admired Bitnami’s approach to building incredibly lean, secure container images (see PhotonOS). But we also know that if the open source ecosystem is going to build on these foundations, scanning tools need to stay in sync with the rest of the community.
That’s why we’re excited to share that Grype now natively supports PhotonOS vulnerability data. This update bridges the data gap. It also continues our proud collaboration with Bitnami to build a more secure, transparent, and quieter software supply chain. Teams no longer need to worry about false positives or missed vulnerabilities. Instead, they can confidently build on BSI knowing their risk is meaningfully reduced.
Scanning Hardening Container Images
As organizations strive to build secure applications, many have turned to minimal, hardened base images. While these lean images are excellent for reducing attack surfaces, accurately scanning them requires domain specific software package analysis and vulnerability data. As a prime example of this, the BSI catalog provides stable software packaging methods as well as a specific vulnerability source to enable accurate scanning.
The Anchore team deployed a two-part technical update to our vulnerability data pipeline. First, we added a new PhotonOS vulnerability provider to Vunnel, the tool that fetches and normalizes our vulnerability data. Second, we updated the Grype database to include this new photon namespace in its daily builds. With these additions, we’re able to support scanning across the BSI software stack (from PhotonOS to the Bitnami specific SBOM cataloger), adding it to the set of supported ecosystems.
You can review the complete technical details of this integration here.
What This Means for Your Security Posture
Going forward, users scanning PhotonOS-based environments, including the ecosystem of Bitnami container images, will see an immediate improvement in the accuracy and reliability of their security scans:
- Increased Coverage: Grype now pulls directly from the official PhotonOS metadata, reliably catching genuine vulnerabilities it previously ignored.
- Reduced Noise: By understanding PhotonOS-specific versions, Grype correctly identifies when a security fix has been backported, drastically reducing false alerts.
- Seamless Updates: You don’t need to change your code. As long as you run grype db update, the new Photon provider is automatically utilized.
Anchore’s Commitment to the Open Source Supply Chain
This update is about more than just a new data feed. It’s about giving developers their time back. You shouldn’t have to waste hours chasing down inaccurate data. Anchore takes its commitment to the open source community seriously. Our partnerships with other leading OSS contributors, like Bitnami, are our way of putting our money where our mouth is.
Ready to see the difference? Run grype db update to grab the latest PhotonOS data, and point Grype at your base images. We encourage the community to grab the latest version of Grype, and try scanning Bitnami Secure Images today!
