Quick Facts
- Category: Cloud Computing
- Published: 2026-05-01 17:41:50
- How to Get Started with Microsoft Discovery: A Step-by-Step Guide to Agentic R&D
- The Art of Storytelling in User Research: A Three-Act Framework
- South Dakota Hospital Offers On-Site Hotel for Patients and Families
- Wingtech's $1.3 Billion Loss and Delisting Risk: What Happened and What It Means
- The New Reality for UX Designers: Juggling Design, Code, and AI in 2026
Introduction
In late 2025, a team self-hosting Langfuse, an open-source LLM observability platform, on Kubernetes uploaded their ClickHouse image to AWS ECR during production preparation. The pipeline scanner flagged three critical vulnerabilities—not in ClickHouse itself, but in the base image. Their security team saw the findings and blocked deployment before it reached production.
“Our security team is not allowing us to take it to production. Please suggest alternatives.” — vinaygoel586, GitHub Issue #286, November 28, 2025
If you’ve shipped containers into an enterprise environment recently, this scenario will sound familiar. A perfectly functional deployment gets blocked not because something is broken, but because a scanner discovered CVEs in packages the application never even touches. A day is spent investigating findings, a risk exception is drafted, and the security team still rejects it—because the vulnerabilities are technically real, even if they’re practically irrelevant to your workload.
This article explains how Docker Hardened Images (DHI) gets you unstuck when a security team blocks a container deployment due to CVEs. We’ll specifically examine the ClickHouse image, one of the most widely pulled database images on Docker Hub.
The Challenge: Security Blockades in Enterprise Deployments
Modern container scanning tools automatically check every layer of an image. They report vulnerabilities from the base operating system packages—often unused by the application. Security teams, bound by compliance policies, cannot ignore high-severity CVEs, even if they are in packages like libcurl or openssl that ClickHouse never invokes. This leads to deployment freezes, manual exception processes, and delays.
Docker Hardened Images address this by stripping away everything unnecessary: minimal base layers, only the essential runtime dependencies, and no package managers or shell access. The result is an image with a drastically reduced attack surface and, crucially, far fewer CVEs to flag.
What is ClickHouse?
ClickHouse is an open-source columnar database built for analytical workloads at scale. It queries billions of rows and returns results in milliseconds—something traditional row-oriented databases cannot match. Companies such as Cloudflare, Uber, and Spotify all run it in production. With over 100 million pulls from Docker Hub, it has become the default infrastructure choice for teams needing serious analytics throughput.
The default security posture of the ClickHouse image, however, was designed with developer ease-of-use in mind rather than the hardening that enterprise production environments demand. That gap is where the trouble starts.
How ClickHouse is Structured
ClickHouse follows a layered architecture designed for analytical speed at scale.
Query Processing Layer
SQL queries arrive over HTTP (port 8123) or TCP (port 9000). The query optimizer parses the statement into an abstract syntax tree (AST), applies pruning, and hands the work off to the pipeline executor. The executor distributes tasks across parallel threads for maximum throughput.
Storage Engine: MergeTree
Beneath the query layer sits the MergeTree storage engine—the heart of ClickHouse. Data is stored in columnar .bin files. A sparse primary index allows ClickHouse to skip irrelevant granules without reading entire columns. Background merge processes compact parts over time, maintaining query performance.
Pluggable Storage
At the bottom, storage is pluggable: local disk, Amazon S3, HDFS, or any object store. This flexibility makes ClickHouse suitable for both on-premise and cloud-native deployments.
How Docker Hardened Images Solve the CVE Problem
Docker Hardened Images (DHI) are built from scratch—or from minimal base images like Alpine Linux, Distroless, or Wolfi. They include only the binaries and libraries needed to run the application. For ClickHouse, that means:
- No shell (e.g.,
/bin/bash) or package manager (apt,yum) - No unused system utilities (e.g.,
curl,wget,sudo) - Minimal set of shared libraries required by the ClickHouse binary
The result is a dramatic reduction in CVEs. A typical hardened ClickHouse image shows zero or only a handful of low-severity findings—all of which are quickly dismissible because they exist in unused code paths.
From Blocked to Prod-Ready
Returning to the Langfuse team’s situation: after switching to a Docker Hardened Image for ClickHouse, the pipeline scan came back clean. The three critical vulnerabilities were gone because the offending base image packages were removed. The security team approved the deployment, and production rollout proceeded without delays.
Conclusion
Security scanners are a fact of modern containerized deployments. But a team doesn’t have to choose between robust security and operational speed. Docker Hardened Images provide a pragmatic path: keep the application you love—ClickHouse—while eliminating the unnecessary baggage that triggers false-positive CVE alerts.
By adopting hardened images, organizations can stop fighting scanner reports on irrelevant packages and focus on what matters: running a high-performance analytics database in production, securely and efficiently.
For teams already self-hosting Langfuse or similar observability stacks, switching to a ClickHouse DHI is often the single change that turns a security block into a production-ready green light.