Interview › Security & DevSecOps
What is the difference between patching the base image and patching the application dependency? [Intermediate]
Answer
Patching the base image fixes vulnerabilities in the operating-system layer and common runtime packages. Patching the application dependency fixes libraries packaged by the application, such as Java jars, npm modules, Python wheels, or Go modules. Both are required because containers include multiple layers of software.
Technical explanation
Base-image vulnerabilities come from packages installed in the image, for example OpenSSL, glibc, curl, or OS libraries.
Application dependency vulnerabilities come from the app build output, such as Log4j or lodash.
Image scanning should show which layer introduced the vulnerable component so the correct owner can fix it.
Hands-on example
Example: CVE in openssl -> update the base image tag and rebuild. CVE in log4j-core -> update pom.xml or dependencyManagement and rebuild. After both fixes, push a new image digest and deploy that digest, not just a mutable tag.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]