NGINX
Hardened NGINX web server
Pull command:
podman pull ghcr.io/armorred/nginxHigh-performance HTTP server and reverse proxy, hardened for production use.
Features
- Non-root execution by default
- Removed unnecessary modules
- Hardened TLS configuration
- Read-only filesystem compatible
- Minimal attack surface
Available Tags
Usage
$
podman run -d -p 8080:8080 ghcr.io/armorred/nginx:latest
Security Analysis
Vulnerability Analysis
98.9% reductionupstream
93 total
hardened
1 total
locked
1 total
View vulnerability details (93 upstream)
| CVE ID | Severity | Package | Version | Fixed In |
|---|---|---|---|---|
| DEBIAN-CVE-2011-3374 | low | apt | 2.6.1 | unfixed |
| DEBIAN-CVE-2022-3715 | high | bash | 5.2.15-2+b7 | 5.2-1 |
| DEBIAN-CVE-2016-2781 | medium | coreutils | 9.1-1 | 9.4-1 |
| DEBIAN-CVE-2017-18018 | medium | coreutils | 9.1-1 | unfixed |
| DEBIAN-CVE-2024-0684 | medium | coreutils | 9.1-1 | 9.5-1 |
| DEBIAN-CVE-2025-5278 | medium | coreutils | 9.1-1 | unfixed |
| DEBIAN-CVE-2021-22922 | medium | curl | 7.88.1-10+deb12u12 | 7.79.1-1 |
| DEBIAN-CVE-2021-22923 | medium | curl | 7.88.1-10+deb12u12 | 7.79.1-1 |
| DEBIAN-CVE-2022-42916 | high | curl | 7.88.1-10+deb12u12 | 7.86.0-1 |
| DEBIAN-CVE-2022-43551 | high | curl | 7.88.1-10+deb12u12 | 7.86.0-3 |
| DEBIAN-CVE-2023-23914 | critical | curl | 7.88.1-10+deb12u12 | 7.88.1-1 |
| DEBIAN-CVE-2023-23915 | medium | curl | 7.88.1-10+deb12u12 | 7.88.1-1 |
| DEBIAN-CVE-2023-28320 | medium | curl | 7.88.1-10+deb12u12 | 7.88.1-10 |
| DEBIAN-CVE-2023-38039 | high | curl | 7.88.1-10+deb12u12 | 7.88.1-10+deb12u3 |
| DEBIAN-CVE-2023-38545 | critical | curl | 7.88.1-10+deb12u12 | 7.74.0-1.3+deb11u10 |
| DEBIAN-CVE-2023-38546 | low | curl | 7.88.1-10+deb12u12 | 7.74.0-1.3+deb11u10 |
| DEBIAN-CVE-2023-46218 | medium | curl | 7.88.1-10+deb12u12 | 7.74.0-1.3+deb11u11 |
| DEBIAN-CVE-2023-46219 | medium | curl | 7.88.1-10+deb12u12 | 7.88.1-10+deb12u5 |
| DEBIAN-CVE-2024-0853 | medium | curl | 7.88.1-10+deb12u12 | 8.6.0-1 |
| DEBIAN-CVE-2024-11053 | low | curl | 7.88.1-10+deb12u12 | 7.88.1-10+deb12u10 |
| DEBIAN-CVE-2024-2004 | low | curl | 7.88.1-10+deb12u12 | 7.88.1-10+deb12u6 |
| DEBIAN-CVE-2024-2379 | medium | curl | 7.88.1-10+deb12u12 | 8.7.1-1 |
| DEBIAN-CVE-2024-2398 | high | curl | 7.88.1-10+deb12u12 | 7.74.0-1.3+deb11u12 |
| DEBIAN-CVE-2024-2466 | medium | curl | 7.88.1-10+deb12u12 | 8.7.1-1 |
| DEBIAN-CVE-2024-6197 | high | curl | 7.88.1-10+deb12u12 | 8.9.0-1 |
| DEBIAN-CVE-2024-6874 | medium | curl | 7.88.1-10+deb12u12 | 8.9.0-1 |
| DEBIAN-CVE-2024-7264 | medium | curl | 7.88.1-10+deb12u12 | 7.74.0-1.3+deb11u13 |
| DEBIAN-CVE-2024-8096 | medium | curl | 7.88.1-10+deb12u12 | 7.74.0-1.3+deb11u14 |
| DEBIAN-CVE-2024-9681 | medium | curl | 7.88.1-10+deb12u12 | 7.88.1-10+deb12u9 |
| DEBIAN-CVE-2025-0167 | low | curl | 7.88.1-10+deb12u12 | 7.88.1-10+deb12u11 |
| DEBIAN-CVE-2025-0665 | critical | curl | 7.88.1-10+deb12u12 | 8.12.0+git20250209.89ed161+ds-1 |
| DEBIAN-CVE-2025-0725 | high | curl | 7.88.1-10+deb12u12 | 8.12.0+git20250209.89ed161+ds-1 |
| DEBIAN-CVE-2025-10148 | medium | curl | 7.88.1-10+deb12u12 | 8.14.1-2+deb13u1 |
| DEBIAN-CVE-2025-10966 | medium | curl | 7.88.1-10+deb12u12 | 8.17.0~rc2-1 |
| DEBIAN-CVE-2025-11563 | unknown | curl | 7.88.1-10+deb12u12 | 8.14.1-2+deb13u2 |
| DEBIAN-CVE-2025-4947 | medium | curl | 7.88.1-10+deb12u12 | 8.14.0-1 |
| DEBIAN-CVE-2025-5025 | medium | curl | 7.88.1-10+deb12u12 | 8.14.0-1 |
| DEBIAN-CVE-2025-5399 | high | curl | 7.88.1-10+deb12u12 | 8.14.1-1 |
| DEBIAN-CVE-2025-9086 | high | curl | 7.88.1-10+deb12u12 | 8.14.1-2+deb13u1 |
| DEBIAN-CVE-2025-6297 | high | dpkg | 1.21.22 | 1.22.21 |
| DEBIAN-CVE-2025-1390 | medium | libcap2 | 1:2.66-4 | 1:2.44-1+deb11u1 |
| DEBIAN-CVE-2018-6829 | high | libgcrypt20 | 1.10.1-3 | unfixed |
| DEBIAN-CVE-2021-33560 | high | libgcrypt20 | 1.10.1-3 | 1.9.4-2 |
| DEBIAN-CVE-2024-2236 | medium | libgcrypt20 | 1.10.1-3 | unfixed |
| DEBIAN-CVE-2024-12133 | medium | libtasn1-6 | 4.19.0-2+deb12u1 | 4.16.0-2+deb11u2 |
| DEBIAN-CVE-2022-2309 | high | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u5 |
| DEBIAN-CVE-2022-49043 | high | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u6 |
| DEBIAN-CVE-2023-39615 | medium | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u6 |
| DEBIAN-CVE-2023-45322 | medium | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u6 |
| DEBIAN-CVE-2024-25062 | high | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u6 |
| DEBIAN-CVE-2024-34459 | high | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u8 |
| DEBIAN-CVE-2024-56171 | critical | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u6 |
| DEBIAN-CVE-2025-12863 | high | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.15.1+dfsg-0.4 |
| DEBIAN-CVE-2025-24928 | high | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u6 |
| DEBIAN-CVE-2025-27113 | high | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u6 |
| DEBIAN-CVE-2025-32414 | high | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u7 |
| DEBIAN-CVE-2025-32415 | high | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u7 |
| DEBIAN-CVE-2025-49794 | critical | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u8 |
| DEBIAN-CVE-2025-49796 | critical | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u8 |
| DEBIAN-CVE-2025-6021 | high | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u8 |
| DEBIAN-CVE-2025-6170 | low | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u8 |
| DEBIAN-CVE-2025-8732 | low | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | unfixed |
| DEBIAN-CVE-2025-9714 | medium | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.10+dfsg-6.7+deb11u9 |
| DSA-5949-1 | unknown | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.14+dfsg-1.3~deb12u2 |
| DSA-5990-1 | unknown | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | 2.9.14+dfsg-1.3~deb12u4 |
| DEBIAN-CVE-2009-4487 | unknown | nginx | 1.26.3-1~bookworm | unfixed |
| DEBIAN-CVE-2013-0337 | unknown | nginx | 1.26.3-1~bookworm | unfixed |
| DEBIAN-CVE-2023-44487 | high | nginx | 1.26.3-1~bookworm | 1.8.2-2 |
| DEBIAN-CVE-2025-23419 | medium | nginx | 1.26.3-1~bookworm | 1.18.0-6.1+deb11u4 |
| DEBIAN-CVE-2025-53859 | medium | nginx | 1.26.3-1~bookworm | 1.22.1-9+deb12u3 |
| DEBIAN-CVE-2023-6129 | medium | openssl | 3.0.15-1~deb12u1 | 3.0.13-1~deb12u1 |
| DEBIAN-CVE-2023-6237 | medium | openssl | 3.0.15-1~deb12u1 | 3.0.13-1~deb12u1 |
| DEBIAN-CVE-2024-0727 | medium | openssl | 3.0.15-1~deb12u1 | 1.1.1w-0+deb11u2 |
| DEBIAN-CVE-2024-12797 | medium | openssl | 3.0.15-1~deb12u1 | 3.4.1-1 |
| DEBIAN-CVE-2024-13176 | medium | openssl | 3.0.15-1~deb12u1 | 1.1.1w-0+deb11u3 |
| DEBIAN-CVE-2024-2511 | medium | openssl | 3.0.15-1~deb12u1 | 1.1.1w-0+deb11u2 |
| DEBIAN-CVE-2024-4603 | medium | openssl | 3.0.15-1~deb12u1 | 3.0.14-1~deb12u1 |
| DEBIAN-CVE-2024-4741 | high | openssl | 3.0.15-1~deb12u1 | 1.1.1w-0+deb11u2 |
| DEBIAN-CVE-2024-5535 | critical | openssl | 3.0.15-1~deb12u1 | 1.1.1w-0+deb11u2 |
| DEBIAN-CVE-2024-6119 | high | openssl | 3.0.15-1~deb12u1 | 3.0.14-1~deb12u2 |
| DEBIAN-CVE-2024-9143 | medium | openssl | 3.0.15-1~deb12u1 | 1.1.1w-0+deb11u2 |
| DEBIAN-CVE-2025-27587 | medium | openssl | 3.0.15-1~deb12u1 | 3.5.0-1 |
| DEBIAN-CVE-2025-4575 | medium | openssl | 3.0.15-1~deb12u1 | 3.5.0-2 |
| DEBIAN-CVE-2025-9230 | high | openssl | 3.0.15-1~deb12u1 | 1.1.1w-0+deb11u4 |
| DEBIAN-CVE-2025-9231 | medium | openssl | 3.0.15-1~deb12u1 | 3.5.1-1+deb13u1 |
| DEBIAN-CVE-2025-9232 | medium | openssl | 3.0.15-1~deb12u1 | 3.0.17-1~deb12u3 |
| DSA-6015-1 | unknown | openssl | 3.0.15-1~deb12u1 | 3.0.17-1~deb12u3 |
| DEBIAN-CVE-2005-2541 | unknown | tar | 1.34+dfsg-1.2+deb12u1 | unfixed |
| DEBIAN-CVE-2022-48303 | medium | tar | 1.34+dfsg-1.2+deb12u1 | 1.34+dfsg-1+deb11u1 |
| DEBIAN-CVE-2023-39804 | medium | tar | 1.34+dfsg-1.2+deb12u1 | 1.34+dfsg-1+deb11u1 |
| DEBIAN-CVE-2022-0563 | medium | util-linux | 2.38.1-5+deb12u3 | unfixed |
| DEBIAN-CVE-2024-28085 | low | util-linux | 2.38.1-5+deb12u3 | 2.36.1-8+deb11u2 |
| DEBIAN-CVE-2025-14104 | medium | util-linux | 2.38.1-5+deb12u3 | unfixed |
Binary Security Analysis
| Security Feature | upstream | hardened | locked |
|---|---|---|---|
| RELRO Memory protection | full | full | full |
| Stack Canary Buffer overflow protection | enabled | enabled | enabled |
| NX Non-executable stack | enabled | enabled | enabled |
| PIE Position independent | enabled | enabled | enabled |
| SafeStack Stack separation | disabled | enabled | enabled |
| Clang CFI Control flow integrity | disabled | disabled | enabled |
| FORTIFY_SOURCE Runtime checks | 3/10 (30%) | 7/14 (50%) | 7/14 (50%) |
FORTIFY function details
hardened
- realpath fortified (4x)
- memcpy fortified (4x)
- recv unprotected (2x)
- vsnprintf fortified (2x)
- pread64 unprotected (2x)
- memmove fortified (4x)
- fprintf fortified (2x)
- memset unprotected (2x)
- gethostname fortified (2x)
- read fortified (4x)
locked
- realpath fortified (4x)
- memcpy fortified (4x)
- recv unprotected (2x)
- vsnprintf fortified (2x)
- pread64 unprotected (2x)
- memmove fortified (4x)
- fprintf fortified (2x)
- memset unprotected (2x)
- gethostname fortified (2x)
- read fortified (4x)
upstream
- realpath fortified (1x)
- memcpy fortified (2x)
- recv unprotected (1x)
- pread64 unprotected (1x)
- memmove fortified (2x)
- memset unprotected (1x)
- gethostname unprotected (1x)
- read unprotected (1x)
Version Analysis
nginx 1.26.3
Analyzed: 2025-12-07Size Reduction (Hardened)
38%
196.1 MB to 120.7 MB
Size Reduction (Locked)
63%
196.1 MB to 72.3 MB
Component Reduction
87%
151 to 19 packages
| Variant | Image | Size | Layers | Components |
|---|---|---|---|---|
| upstream | docker.io/nginx:1.26 | 196.1 MB | 7 | 151 |
| hardened | localhost/nginx:1.26.3-hardened | 120.7 MB | 22 | 19 |
| locked | localhost/nginx:1.26.3-locked | 72.3 MB | 23 | 20 |
Software Bill of Materials
upstream components (151)
- adduser3.134
- apt2.6.1
- base-files12.4+deb12u10
- base-passwd3.6.1
- bash5.2.15-2+b7
- bsdutils1:2.38.1-5+deb12u3
- ca-certificates20230311
- coreutils9.1-1
- curl7.88.1-10+deb12u12
- dash0.5.12-2
- debconf1.5.82
- debian-archive-keyring2023.3+deb12u1
- debianutils5.7-0.5~deb12u1
- diffutils1:3.8-4
- dpkg1.21.22
- e2fsprogs1.47.0-2
- findutils4.9.0-4
- fontconfig-config2.14.1-4
- fonts-dejavu-core2.37-6
- gcc-12-base12.2.0-14
- gettext-base0.21-12
- gpgv2.2.40-1.1
- grep3.8-5
- gzip1.12-1
- hostname3.23+nmu1
- init-system-helpers1.65.2
- libabsl2022062320220623.1-1
- libacl12.3.1-3
- libaom33.6.0-1+deb12u1
- libapt-pkg6.02.6.1
- libattr11:2.5.1-4
- libaudit-common1:3.0.9-1
- libaudit11:3.0.9-1
- libavif150.11.1-1
- libblkid12.38.1-5+deb12u3
- libbrotli11.0.9-2+b6
- libbsd00.11.7-2
- libbz2-1.01.0.8-5+b1
- libc-bin2.36-9+deb12u10
- libc62.36-9+deb12u10
- libcap-ng00.8.3-1+b3
- libcap21:2.66-4
- libcom-err21.47.0-2
- libcrypt11:4.4.33-2
- libcurl47.88.1-10+deb12u12
- libdav1d61.0.0-2+deb12u1
- libdb5.35.3.28+dfsg2-1
- libde265-01.0.11-1+deb12u2
- libdebconfclient00.270
- libdeflate01.14-1
- libedit23.1-20221030-2
- libexpat12.5.0-1+deb12u1
- libext2fs21.47.0-2
- libffi83.4.4-1
- libfontconfig12.14.1-4
- libfreetype62.12.1+dfsg-5+deb12u4
- libgav1-10.18.0-1+b1
- libgcc-s112.2.0-14
- libgcrypt201.10.1-3
- libgd32.3.3-9
- libgeoip11.6.12-10
- libgmp102:6.2.1+dfsg1-1.1
- libgnutls303.7.9-2+deb12u4
- libgpg-error01.46-1
- libgssapi-krb5-21.20.1-2+deb12u2
- libheif11.15.1-1+deb12u1
- libhogweed63.8.1-2
- libicu7272.1-3
- libidn2-02.3.3-1+b1
- libintl0.21
- libjbig02.1-6.1
- libjpeg62-turbo1:2.1.5-2
- libk5crypto31.20.1-2+deb12u2
- libkeyutils11.6.3-2
- libkrb5-31.20.1-2+deb12u2
- libkrb5support01.20.1-2+deb12u2
- libldap-2.5-02.5.13+dfsg-5
- liblerc44.0.0+ds-2
- liblz4-11.9.4-1
- liblzma55.4.1-1
- libmd01.0.4-2
- libmount12.38.1-5+deb12u3
- libnettle83.8.1-2
- libnghttp2-141.52.0-1+deb12u2
- libnuma12.0.16-1
- libp11-kit00.24.1-2
- libpam-modules1.5.2-6+deb12u1
- libpam-modules-bin1.5.2-6+deb12u1
- libpam-runtime1.5.2-6+deb12u1
- libpam0g1.5.2-6+deb12u1
- libpcre2-8-010.42-1
- libpng16-161.6.39-2
- libpsl50.21.2-1
- librav1e00.5.1-6
- librtmp12.4+20151223.gitfa8646d.1-2+b2
- libsasl2-22.1.28+dfsg-10
- libsasl2-modules-db2.1.28+dfsg-10
- libseccomp22.5.4-1+deb12u1
- libselinux13.4-1+b6
- libsemanage-common3.4-1
- libsemanage23.4-1+b5
- libsepol23.4-2.1
- libsmartcols12.38.1-5+deb12u3
- libss21.47.0-2
- libssh2-11.10.0-3+b1
- libssl33.0.15-1~deb12u1
- libstdc++612.2.0-14
- libsvtav1enc11.4.1+dfsg-1
- libsystemd0252.36-1~deb12u1
- libtasn1-64.19.0-2+deb12u1
- libtiff64.5.0-6+deb12u2
- libtinfo66.4-4
- libudev1252.36-1~deb12u1
- libunistring21.0-2
- libuuid12.38.1-5+deb12u3
- libwebp71.2.4-0.2+deb12u1
- libx11-62:1.8.4-2+deb12u2
- libx11-data2:1.8.4-2+deb12u2
- libx265-1993.5-2+b1
- libxau61:1.0.9-1
- libxcb11.15-1
- libxdmcp61:1.1.2-3
- libxml22.9.14+dfsg-1.3~deb12u1
- libxpm41:3.5.12-1.1+deb12u1
- libxslt1.11.1.35-1+deb12u1
- libxxhash00.8.1-1
- libyuv00.0~git20230123.b2528b0-1
- libzstd11.5.4+dfsg2-5
- login1:4.13+dfsg1-1+b1
- logsave1.47.0-2
- mawk1.3.4.20200120-3.1
- mount2.38.1-5+deb12u3
- ncurses-base6.4-4
- ncurses-bin6.4-4
- nginx1.26.3-1~bookworm
- nginx-module-geoip1.26.3-2~bookworm
- nginx-module-image-filter1.26.3-2~bookworm
- nginx-module-njs1.26.3+0.8.9-1~bookworm
- nginx-module-xslt1.26.3-2~bookworm
- openssl3.0.15-1~deb12u1
- passwd1:4.13+dfsg1-1+b1
- perl-base5.36.0-7+deb12u1
- sed4.9-1
- sysvinit-utils3.06-4
- tar1.34+dfsg-1.2+deb12u1
- tzdata2025b-0+deb12u1
- usr-is-merged37~deb12u1
- util-linux2.38.1-5+deb12u3
- util-linux-extra2.38.1-5+deb12u3
- zlib1g1:1.2.13.dfsg-1
- debian12
hardened components (19)
- acl2.3.2
- attr2.5.2
- coreutils9.5
- gcc13.3.0
- gcc13.3.0
- glibc2.40
- gmp-with-cxx6.3.0
- libidn22.3.7
- libunistring1.2
- libxcrypt4.4.36
- libxml22.13.8
- libxslt1.1.42
- nginx1.26.3
- openssl3.3.3
- pcre210.44
- perl5.40.0
- xgcc13.3.0
- zlib1.3.1
- zlib-ng2.2.2
locked components (20)
- acl2.3.2
- attr2.5.2
- bash-interactive5.2p37
- coreutils9.5
- gcc13.3.0
- gcc13.3.0
- glibc2.40
- gmp-with-cxx6.3.0
- libidn22.3.7
- libunistring1.2
- libxcrypt4.4.36
- libxml22.13.8
- libxslt1.1.42
- ncurses6.4.20221231
- nginx1.26.3
- openssl3.3.3
- pcre210.44
- readline8.2p13
- xgcc13.3.0
- zlib-ng2.2.2
Download SBOMs
Verify Image
$
cosign verify ghcr.io/armorred/nginx