Argo CD Security-Hardened Images

Security Scan 2024-12-16

Argo CD security-hardened images include precisely what is needed to run Argo CD. As a result, we build smaller-sized images with a reduced number of CVEs. By not including a package manager and inserting the needed runtime dependencies, the attack surface is significantly reduced.

Below you will find the weekly-updated security scans of Akuity's security-hardened Argo CD images compared with the open source images.

Akuity v2.13.2-distroless vs Argo CD v2.13.2

Full list of open source Argo CD vulnerabilities in this release

`quay.io/akuity/argocd:v2.13.2-distroless`

Vulnerabilities (0)

`usr/local/bin/argocd`

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`golang.org/x/crypto`	CVE-2024-45337	CRITICAL	v0.27.0	0.31.0

`usr/local/bin/gpg-wrapper.sh`

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2024-34156	HIGH	v1.21.13	1.22.7, 1.23.1

`usr/local/bin/helm`

Vulnerabilities (2)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`golang.org/x/crypto`	CVE-2024-45337	CRITICAL	v0.25.0	0.31.0
`stdlib`	CVE-2024-34156	HIGH	v1.22.6	1.22.7, 1.23.1

`usr/local/bin/kustomize`

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2024-34156	HIGH	v1.21.12	1.22.7, 1.23.1

Akuity v2.12.8-distroless vs Argo CD v2.12.8

Full list of open source Argo CD vulnerabilities in this release

`quay.io/akuity/argocd:v2.12.8-distroless`

Vulnerabilities (0)

`usr/local/bin/argocd`

Vulnerabilities (4)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`golang.org/x/crypto`	CVE-2024-45337	CRITICAL	v0.23.0	0.31.0
`k8s.io/kubernetes`	CVE-2024-10220	HIGH	v1.29.6	1.28.12, 1.29.7, 1.30.3
`k8s.io/kubernetes`	CVE-2024-5321	HIGH	v1.29.6	1.27.16, 1.28.12, 1.29.7, 1.30.3
`stdlib`	CVE-2024-34156	HIGH	v1.22.4	1.22.7, 1.23.1

`usr/local/bin/gpg-wrapper.sh`

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2024-34156	HIGH	v1.21.13	1.22.7, 1.23.1

`usr/local/bin/helm`

Vulnerabilities (3)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`github.com/docker/docker`	CVE-2024-41110	CRITICAL	v25.0.5+incompatible	23.0.15, 26.1.5, 27.1.1, 25.0.6
`golang.org/x/crypto`	CVE-2024-45337	CRITICAL	v0.21.0	0.31.0
`stdlib`	CVE-2024-34156	HIGH	v1.22.4	1.22.7, 1.23.1

`usr/local/bin/kustomize`

Vulnerabilities (2)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2024-24790	CRITICAL	v1.21.10	1.21.11, 1.22.4
`stdlib`	CVE-2024-34156	HIGH	v1.21.10	1.22.7, 1.23.1

Akuity v2.11.12-distroless vs Argo CD v2.11.12

Full list of open source Argo CD vulnerabilities in this release

`quay.io/akuity/argocd:v2.11.12-distroless`

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`git-lfs`	CVE-2024-45337	HIGH	3.5.1-r8	3.6.0-r3

`usr/local/bin/argocd`

Vulnerabilities (7)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`github.com/cloudflare/circl`	GHSA-9763-4f94-gfch	HIGH	v1.3.3	1.3.7
`golang.org/x/crypto`	CVE-2024-45337	CRITICAL	v0.19.0	0.31.0
`k8s.io/kubernetes`	CVE-2024-0793	HIGH	v1.26.11	1.27.0-alpha.1
`k8s.io/kubernetes`	CVE-2024-10220	HIGH	v1.26.11	1.28.12, 1.29.7, 1.30.3
`k8s.io/kubernetes`	CVE-2024-5321	HIGH	v1.26.11	1.27.16, 1.28.12, 1.29.7, 1.30.3
`stdlib`	CVE-2024-24790	CRITICAL	v1.21.10	1.21.11, 1.22.4
`stdlib`	CVE-2024-34156	HIGH	v1.21.10	1.22.7, 1.23.1

`usr/local/bin/gpg-wrapper.sh`

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2024-34156	HIGH	v1.21.13	1.22.7, 1.23.1

`usr/local/bin/helm`

Vulnerabilities (4)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`github.com/docker/docker`	CVE-2024-41110	CRITICAL	v24.0.9+incompatible	23.0.15, 26.1.5, 27.1.1, 25.0.6
`golang.org/x/crypto`	CVE-2024-45337	CRITICAL	v0.17.0	0.31.0
`stdlib`	CVE-2024-24790	CRITICAL	v1.21.9	1.21.11, 1.22.4
`stdlib`	CVE-2024-34156	HIGH	v1.21.9	1.22.7, 1.23.1

`usr/local/bin/kustomize`

Vulnerabilities (4)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Package	ID	Severity	Installed Version	Fixed Version
`stdlib`	CVE-2024-24790	CRITICAL	v1.20.10	1.21.11, 1.22.4
`stdlib`	CVE-2023-45283	HIGH	v1.20.10	1.20.11, 1.21.4, 1.20.12, 1.21.5
`stdlib`	CVE-2023-45288	HIGH	v1.20.10	1.21.9, 1.22.2
`stdlib`	CVE-2024-34156	HIGH	v1.20.10	1.22.7, 1.23.1

Security Scan 2024-12-16​

Akuity v2.13.2-distroless vs Argo CD v2.13.2​

quay.io/akuity/argocd:v2.13.2-distroless

Vulnerabilities (0)

usr/local/bin/argocd

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/gpg-wrapper.sh

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/helm

Vulnerabilities (2)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/kustomize

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Akuity v2.12.8-distroless vs Argo CD v2.12.8​

quay.io/akuity/argocd:v2.12.8-distroless

Vulnerabilities (0)

usr/local/bin/argocd

Vulnerabilities (4)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/gpg-wrapper.sh

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/helm

Vulnerabilities (3)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/kustomize

Vulnerabilities (2)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Akuity v2.11.12-distroless vs Argo CD v2.11.12​

quay.io/akuity/argocd:v2.11.12-distroless

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/argocd

Vulnerabilities (7)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/gpg-wrapper.sh

Vulnerabilities (1)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/helm

Vulnerabilities (4)

The below table displays CRITICAL and HIGH severence vulnerabilities only

usr/local/bin/kustomize

Vulnerabilities (4)

The below table displays CRITICAL and HIGH severence vulnerabilities only

Security Scan 2024-12-16

Akuity v2.13.2-distroless vs Argo CD v2.13.2

`quay.io/akuity/argocd:v2.13.2-distroless`

`usr/local/bin/argocd`

`usr/local/bin/gpg-wrapper.sh`

`usr/local/bin/helm`

`usr/local/bin/kustomize`

Akuity v2.12.8-distroless vs Argo CD v2.12.8

`quay.io/akuity/argocd:v2.12.8-distroless`

`usr/local/bin/argocd`

`usr/local/bin/gpg-wrapper.sh`

`usr/local/bin/helm`

`usr/local/bin/kustomize`

Akuity v2.11.12-distroless vs Argo CD v2.11.12

`quay.io/akuity/argocd:v2.11.12-distroless`

`usr/local/bin/argocd`

`usr/local/bin/gpg-wrapper.sh`

`usr/local/bin/helm`

`usr/local/bin/kustomize`