Application Security Scans Failing on Zeebe 8.5

We are using the self managed zeebe 8.5 version to execute workflows. One of our clients requested an application security scan through deep factor which scans running k8s containers.

We observed that there are 67 vulnerabilities (some of which I have attached as screenshots below). The elasticsearch bitnami container showed 1429 vulnerabilities.

With such high number of security issues, I would like to know how are others tackling such challenges when they deploy zeebe with elasticsearch in production. Are security scans done? If so what tools are used? If not how are application security compliance standards met?

It would be great to get some inputs.
Thanks.

image753×354 28.5 KB

image1066×568 65 KB

image1083×499 43.2 KB

Running the scan for different versions of Zeebe and keep you posted.

Ran the scan with trivy scanner for latest Camunda Zeebe/KeyCloak/ElasticSearch. The list seems to be higher.

I would recommend product team can take a look at these report.

image1633×645 127 KB

image1631×813 100 KB

image1619×622 121 KB

Chart: Releases · camunda/camunda-platform-helm · GitHub

Did further research on this issue.

I used the KeyCloak image 26.0.1 from Camunda and KeyCloak. Camunda has the same effect. But Keycloak image built from RedHat does not have HIGH vulnerabilities.

keycloak-rc-26.0.11583×607 117 KB

For ElasticSearch, i tested with Elastic instead of Bitnami, found no High vulernabilities. Images attached.

elastic-8.1.5.31531×449 70.3 KB

@jgeek1, May be you can use alternate image from Elastic instead of Bitnami images.

@Camunda product team, any update on this security issue on bitnami images?