Skip to content

security(docker): hardened Triton + DeepStream containers (CVE-gated, functionally verified)#7

Merged
davidamacey merged 1 commit into
mainfrom
hardened/triton-deepstream-cve
Jul 6, 2026
Merged

security(docker): hardened Triton + DeepStream containers (CVE-gated, functionally verified)#7
davidamacey merged 1 commit into
mainfrom
hardened/triton-deepstream-cve

Conversation

@davidamacey

Copy link
Copy Markdown
Owner

Hardened, CVE-gated NVIDIA Triton + DeepStream containers

Independent, latest-version hardened container builds that pass a CRITICAL/HIGH CVE scan gate while staying fully functional — they load models, build TensorRT engines, and serve inference.

Results (Trivy 0.67.1 — CRITICAL / HIGH)

Image Base image Hardened Functional test (RTX A6000)
triton-hardened:26.06 (FROM tritonserver:26.06-py3) 16 / 214 0 / 0 — no waivers trtexec engine build + ONNX & TensorRT serving + correct inference
deepstream-hardened:9.0 (FROM deepstream:9.0-triton-multiarch) 1 / 19 0 / 0 — 3 CVEs VEX'd ✅ detector pipeline @ ~950 FPS

How the hardening works

  • Ubuntu-only apt upgrade — NVIDIA CUDA/TensorRT stay pinned to the release (a naive upgrade drifts TensorRT and breaks the backend).
  • apt purge linux-libc-dev — cascade-removes the compile-time toolchain, deleting the kernel-header CVEs (the bulk of CRITICAL/HIGH). trtexec/libnvinfer remain, so engine builds + serving still work.
  • Remove Nsight profilers — dev-only, ships a Go binary whose stdlib carried the rest.
  • pip upgrade starlette + fastapi; non-root runtime; cleaned caches.
  • DeepStream also wipes the GStreamer registry cache so plugins rescan with the GPU at runtime.

The one documented "cannot-fix-yet" item

CVE-2025-3887 (gst-plugins-bad H.265 parser RCE) has no Ubuntu fix yet and the plugin can't be removed — waived with justification in docker/hardened/deepstream/trivyignore.txt (plus two vendored build-tool CVEs).

Contents

  • docker/hardened/{triton,deepstream}/Dockerfile + deepstream/trivyignore.txt (VEX)
  • docker/hardened/test/ — reproducible functional test harness (engine build + serve + infer)
  • docs/security/ — full CVE remediation writeup + hardening plan + remediation backlog

Build/scan/test commands are in docker/hardened/README.md.

…E remediation

Independent, latest-version NVIDIA Triton Inference Server and DeepStream
container builds hardened to pass a CRITICAL/HIGH CVE scan gate while still
loading models, building TensorRT engines, and serving inference.

Results (Trivy CRITICAL/HIGH):
- triton-hardened:26.06    16/214 -> 0/0  (no waivers)
- deepstream-hardened:9.0    1/19 -> 0/0  (3 CVEs VEX'd, documented)

Hardening: Ubuntu-only apt upgrade (NVIDIA CUDA/TensorRT pinned), purge
linux-libc-dev (removes kernel-header CVEs + build toolchain), remove Nsight
profilers (Go stdlib CVEs), upgrade starlette/fastapi, non-root runtime.
DeepStream also wipes the GStreamer registry cache so plugins rescan with the
GPU at runtime.

Verified on an A6000: Triton builds a TensorRT engine and serves ONNX + TRT
models with correct inference; DeepStream runs a detector pipeline at ~950 FPS.

Includes Dockerfiles, a functional test harness, a documented VEX file for the
one unfixable HIGH (gst-plugins-bad H.265 CVE-2025-3887, no Ubuntu fix yet),
and a full security review under docs/security/.
@davidamacey davidamacey merged commit c287cd5 into main Jul 6, 2026
3 checks passed
@davidamacey davidamacey deleted the hardened/triton-deepstream-cve branch July 6, 2026 08:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant