ConScan Image Scan Dashboard

ConScan, A tool from Peek8.io, Scans everything in an Image !

Image Information

Image Name
ghcr.io/peek8/conscan-sample/alpine-secret:main
Base OS
alpine 3.22.0_alpha20250108
Architecture
linux/amd64
Size
8 MB
Scan Date
2025-10-16 10:32:26 UTC
Scanner Version
ConScan v0.01.1
0
Critical Vulnerabilities
4
High Vulnerabilities
3
Exposed Secrets
16
Installed Packages
4
CIS Violations
100.00%
Storage Efficiency
Package Vulnerabilities
20 Total
CVE-2025-9230: openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap
High
Package: libcrypto3
Installed Version: 3.3.2-r4
Fixed Version: 3.5.4-r0
CVSS Score: 7.50
CVE-2025-9230: openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap
High
Package: libssl3
Installed Version: 3.3.2-r4
Fixed Version: 3.5.4-r0
CVSS Score: 7.50
CVE-2025-26519: musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write ...
High
Package: musl-utils
Installed Version: 1.2.5-r9
Fixed Version: 1.2.5-r10
CVSS Score: 8.10
CVE-2025-26519: musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write ...
High
Package: musl
Installed Version: 1.2.5-r9
Fixed Version: 1.2.5-r10
CVSS Score: 8.10
CVE-2025-9232: openssl: Out-of-bounds read in HTTP client no_proxy handling
Medium
Package: libssl3
Installed Version: 3.3.2-r4
Fixed Version: 3.5.4-r0
CVSS Score: 5.90
CVE-2025-9231: openssl: Timing side-channel in SM2 algorithm on 64 bit ARM
Medium
Package: libcrypto3
Installed Version: 3.3.2-r4
Fixed Version: 3.5.4-r0
CVSS Score: 6.50
CVE-2024-12797: openssl: RFC7250 handshakes with unauthenticated servers don't abort as expected
Medium
Package: libcrypto3
Installed Version: 3.3.2-r4
Fixed Version: 3.3.3-r0
CVSS Score: 6.30
CVE-2025-4575: Issue summary: Use of -addreject option with the openssl x509 applicat ...
Medium
Package: libcrypto3
Installed Version: 3.3.2-r4
Fixed Version: 3.5.1-r0
CVSS Score: 6.50
CVE-2024-12797: openssl: RFC7250 handshakes with unauthenticated servers don't abort as expected
Medium
Package: libssl3
Installed Version: 3.3.2-r4
Fixed Version: 3.3.3-r0
CVSS Score: 6.30
CVE-2025-4575: Issue summary: Use of -addreject option with the openssl x509 applicat ...
Medium
Package: libssl3
Installed Version: 3.3.2-r4
Fixed Version: 3.5.1-r0
CVSS Score: 6.50
CVE-2024-13176: openssl: Timing side-channel in ECDSA signature computation
Medium
Package: libcrypto3
Installed Version: 3.3.2-r4
Fixed Version: 3.3.2-r5
CVSS Score: 4.10
CVE-2025-9231: openssl: Timing side-channel in SM2 algorithm on 64 bit ARM
Medium
Package: libssl3
Installed Version: 3.3.2-r4
Fixed Version: 3.5.4-r0
CVSS Score: 6.50
CVE-2025-9232: openssl: Out-of-bounds read in HTTP client no_proxy handling
Medium
Package: libcrypto3
Installed Version: 3.3.2-r4
Fixed Version: 3.5.4-r0
CVSS Score: 5.90
CVE-2024-13176: openssl: Timing side-channel in ECDSA signature computation
Medium
Package: libssl3
Installed Version: 3.3.2-r4
Fixed Version: 3.3.2-r5
CVSS Score: 4.10
CVE-2024-58251: In netstat in BusyBox through 1.37.0, local users can launch of networ ...
Low
Package: busybox
Installed Version: 1.37.0-r10
Fixed Version: 1.37.0-r24
CVSS Score: 2.50
CVE-2024-58251: In netstat in BusyBox through 1.37.0, local users can launch of networ ...
Low
Package: ssl_client
Installed Version: 1.37.0-r10
Fixed Version: 1.37.0-r24
CVSS Score: 2.50
CVE-2024-58251: In netstat in BusyBox through 1.37.0, local users can launch of networ ...
Low
Package: busybox-binsh
Installed Version: 1.37.0-r10
Fixed Version: 1.37.0-r24
CVSS Score: 2.50
CVE-2025-46394: In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through...
Low
Package: busybox
Installed Version: 1.37.0-r10
Fixed Version:
CVSS Score: 3.30
CVE-2025-46394: In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through...
Low
Package: busybox-binsh
Installed Version: 1.37.0-r10
Fixed Version:
CVSS Score: 3.30
CVE-2025-46394: In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through...
Low
Package: ssl_client
Installed Version: 1.37.0-r10
Fixed Version:
CVSS Score: 3.30
Exposed Secrets
3 Found
Asymmetric Private Key
HIGH
Location: /rsa.private:1:9
Pattern: -----BEGIN RSA PRIVATE KEY-----
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************
-----END RSA PRIVATE KEY-----
Slack Webhook
MEDIUM
Location: /secrets.txt:1:4
Pattern: # Fake Slack Webhook
SLACK_WEBHOOK=*****************************************************************************
GitHub Personal Access Token
CRITICAL
Location: Environment Variables
Pattern: "Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GITHUB_TOKEN=****************************************6759"
],
CIS Benchmark Violations
4 Issues
CIS-DI-0010: Do not store credential in environment variables/files
FATAL
Suspicious ENV key found : GITHUB_TOKEN on ENV GITHUB_TOKEN=******* (You can suppress it with --accept-key)
CIS-DI-0001: Create a user for the container
WARN
Last user should not be root
CIS-DI-0005: Enable Content trust for Docker
INFO
export DOCKER_CONTENT_TRUST=1 before docker pull/build
CIS-DI-0006: Add HEALTHCHECK instruction to the container image
INFO
not found HEALTHCHECK statement
Storage Analysis
0 B Wasted

Analysis Summary

Efficiency: 100.00%
Wasted Bytes: 0 B
User Wasted Percent: 0.00%

Inefficient Files:

Count
Wasted Space
File Path

Results:

PASS highestUserWastedPercent
PASS lowestEfficiency
Result: PASS [Total:3] [Passed:2] [Failed:0] [Warn:0] [Skipped:1]
Installed Packages
16 Total
alpine-baselayout
3.6.8-r1
License: GPL-2.0-only
Description: Alpine base dir structure and init scripts
Source: https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout
alpine-baselayout-data
3.6.8-r1
License: GPL-2.0-only
Description: Alpine base dir structure and init scripts
Source: https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout
alpine-keys
2.5-r0
License: MIT
Description: Public keys for Alpine Linux packages
Source: https://alpinelinux.org
alpine-release
3.22.0_alpha20250108-r0
License: MIT
Description: Alpine release data
Source: https://alpinelinux.org
apk-tools
2.14.7-r0
License: GPL-2.0-only
Description: Alpine Package Keeper - package manager for alpine
Source: https://gitlab.alpinelinux.org/alpine/apk-tools
busybox
1.37.0-r10
License: GPL-2.0-only
Description: Size optimized toolbox of many common UNIX utilities
Source: https://busybox.net/
busybox-binsh
1.37.0-r10
License: GPL-2.0-only
Description: busybox ash /bin/sh
Source: https://busybox.net/
ca-certificates-bundle
20241121-r1
License: (MPL-2.0 AND MIT)
Description: Pre generated bundle of Mozilla certificates
Source: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
ghcr.io/peek8/conscan-sample/alpine-secret
main
License: NOASSERTION
Description: -
Source: NOASSERTION
libcrypto3
3.3.2-r4
License: Apache-2.0
Description: Crypto library from openssl
Source: https://www.openssl.org/
libssl3
3.3.2-r4
License: Apache-2.0
Description: SSL shared libraries
Source: https://www.openssl.org/
musl
1.2.5-r9
License: MIT
Description: the musl c library (libc) implementation
Source: https://musl.libc.org/
musl-utils
1.2.5-r9
License: (MIT AND BSD-2-Clause AND GPL-2.0-or-later)
Description: the musl c library (libc) implementation
Source: https://musl.libc.org/
scanelf
1.3.8-r1
License: GPL-2.0-only
Description: Scan ELF binaries for stuff
Source: https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities
ssl_client
1.37.0-r10
License: GPL-2.0-only
Description: External ssl_client for busybox wget
Source: https://busybox.net/
zlib
1.3.1-r2
License: Zlib
Description: A compression/decompression Library
Source: https://zlib.net/