security(docker): hardened Triton + DeepStream containers (CVE-gated, functionally verified)#7
Merged
Conversation
…E remediation Independent, latest-version NVIDIA Triton Inference Server and DeepStream container builds hardened to pass a CRITICAL/HIGH CVE scan gate while still loading models, building TensorRT engines, and serving inference. Results (Trivy CRITICAL/HIGH): - triton-hardened:26.06 16/214 -> 0/0 (no waivers) - deepstream-hardened:9.0 1/19 -> 0/0 (3 CVEs VEX'd, documented) Hardening: Ubuntu-only apt upgrade (NVIDIA CUDA/TensorRT pinned), purge linux-libc-dev (removes kernel-header CVEs + build toolchain), remove Nsight profilers (Go stdlib CVEs), upgrade starlette/fastapi, non-root runtime. DeepStream also wipes the GStreamer registry cache so plugins rescan with the GPU at runtime. Verified on an A6000: Triton builds a TensorRT engine and serves ONNX + TRT models with correct inference; DeepStream runs a detector pipeline at ~950 FPS. Includes Dockerfiles, a functional test harness, a documented VEX file for the one unfixable HIGH (gst-plugins-bad H.265 CVE-2025-3887, no Ubuntu fix yet), and a full security review under docs/security/.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hardened, CVE-gated NVIDIA Triton + DeepStream containers
Independent, latest-version hardened container builds that pass a CRITICAL/HIGH CVE scan gate while staying fully functional — they load models, build TensorRT engines, and serve inference.
Results (Trivy 0.67.1 — CRITICAL / HIGH)
triton-hardened:26.06(FROMtritonserver:26.06-py3)trtexecengine build + ONNX & TensorRT serving + correct inferencedeepstream-hardened:9.0(FROMdeepstream:9.0-triton-multiarch)How the hardening works
apt upgrade— NVIDIA CUDA/TensorRT stay pinned to the release (a naive upgrade drifts TensorRT and breaks the backend).apt purge linux-libc-dev— cascade-removes the compile-time toolchain, deleting the kernel-header CVEs (the bulk of CRITICAL/HIGH).trtexec/libnvinferremain, so engine builds + serving still work.stdlibcarried the rest.pip upgrade starlette + fastapi; non-root runtime; cleaned caches.The one documented "cannot-fix-yet" item
CVE-2025-3887(gst-plugins-bad H.265 parser RCE) has no Ubuntu fix yet and the plugin can't be removed — waived with justification indocker/hardened/deepstream/trivyignore.txt(plus two vendored build-tool CVEs).Contents
docker/hardened/{triton,deepstream}/Dockerfile+deepstream/trivyignore.txt(VEX)docker/hardened/test/— reproducible functional test harness (engine build + serve + infer)docs/security/— full CVE remediation writeup + hardening plan + remediation backlogBuild/scan/test commands are in
docker/hardened/README.md.