ClickHouse on Docker Hardened Images: How to Bypass Security Blocks in Production Deployments

In late 2025, a team deploying Langfuse on Kubernetes encountered a common enterprise roadblock: their security scanner flagged three critical vulnerabilities in the ClickHouse container image. The issue wasn't in ClickHouse itself, but in the base packages. Despite the flaws being irrelevant to their workload, the security team blocked the deployment. This scenario—perfectly functional containers stalled by CVEs in unused dependencies—happens frequently. Below, we explore six key questions about this problem and how Docker Hardened Images (DHI) provide a solution, enabling teams to ship ClickHouse to production without security delays.

1. What exactly happened when the Langfuse team tried to deploy ClickHouse on Kubernetes?

In November 2025, a team self-hosting Langfuse, an open-source LLM observability platform, uploaded their ClickHouse Docker image to AWS ECR as part of production preparation. Their pipeline scanner returned three critical vulnerabilities—not in the ClickHouse software, but in the underlying base image. The security team saw the report and blocked the deployment before it reached production. The team was left frustrated: their application code was secure, but external packages from the base image (which ClickHouse barely uses) caused a halt. They posted on GitHub: “Our security team is not allowing us to take it to production. Please suggest alternatives.” This highlights a common tension in enterprise environments—where scanners flag CVEs that are technically real but practically irrelevant to the application’s runtime behavior.

2. Why do enterprise security teams block container images with CVEs, even if the vulnerabilities are irrelevant?

Enterprise security teams operate under strict compliance policies. Scanners like AWS ECR pipeline scanners or Trivy flag every CVE present in the image layers, regardless of whether the vulnerable package is ever executed. For them, a CVE is a compliance checkbox: if the scanner reports it, it must be addressed. The rationale is that even a low-risk vulnerability could become exploitable if an attacker gains access to the container environment. However, many of these CVEs reside in libraries that ClickHouse never invokes—for example, system utilities or networking tools from the base OS. The security team may accept risk exceptions after investigation, but the delay often costs days of engineering time. This tension between developer agility and security governance is exactly the gap that Docker Hardened Images aims to bridge—by providing images that start with a minimal, patched base.

3. What is Docker Hardened Images (DHI) and how does it solve the CVE-block problem?

Docker Hardened Images (DHI) are pre-built, security-focused container images that remove unnecessary packages and apply security patches proactively. Instead of using a standard Ubuntu or Alpine base with many unused libraries, DHI images strip down to only what the application needs—eliminating thousands of potential CVEs. For ClickHouse, DHI provides a version where the base layer is minimal and hardened: no extra tools, no unreferenced libraries, and all known security fixes applied. This means when the scanner runs, it finds drastically fewer (or zero) CVEs. Security teams see a clean report, no blocking, and the deployment proceeds. DHI transforms the image from “security blocked” to “production-ready” without changing the ClickHouse functionality. It’s a practical, immediate solution for teams facing compliance gatekeepers.

4. How is ClickHouse structured, and why does its default image have security gaps?

ClickHouse is an open-source columnar database designed for analytical workloads at scale—processing billions of rows in milliseconds. Its default Docker image, with over 100 million pulls, prioritizes developer ease-of-use over strict hardening. The image includes a standard operating system layer with many packages (like network tools, compilers, or debuggers) that are not required for ClickHouse to run. These packages introduce CVEs. For example, a vulnerable version of curl or openssl might be present even though ClickHouse handles HTTP via its own internal library. The ClickHouse application itself is secure, but the base image drags in unnecessary risk. To overcome this, Docker Hardened Images rebuild the ClickHouse image from a minimal, patched base, removing all non-essential components. This reduces the attack surface and the CVE count, making it easy for security teams to approve the image for production.

5. How does ClickHouse’s layered architecture affect its security posture?

ClickHouse is built in layers: first, the query layer (receiving SQL over HTTP or TCP), then the optimizer and pipeline executor, followed by the MergeTree storage engine, and finally the storage layer (local disk, S3, HDFS). Each layer interacts with specific libraries and system resources. The default image includes all libraries needed for any option, even if the deployment only uses one storage backend. This “kitchen sink” approach increases the package count. For instance, if you only use S3, you don’t need HDFS libraries. A hardened image can be tailored—removing unused storage drivers, network utilities, and system tools—resulting in fewer CVEs. The ClickHouse process itself remains unchanged; only the surrounding OS packages are minimized. This layered understanding helps teams justify a hardened image: you’re not modifying the database, only cleaning the environment. Docker Hardened Images take advantage of this by offering pre-configured builds that match common deployment patterns (e.g., AWS-only, GCP-only).

6. What practical steps does Docker Hardened Images take to prepare a ClickHouse image for production?

To create a production-ready ClickHouse image with DHI, the process involves:

• Selecting a minimal base: Use a slim distribution like Alpine or a Distroless image as the foundation.
• Removing unnecessary packages: Strip out tools like apt, curl, bash, and any debug utilities not needed at runtime.
• Applying all security patches: Ensure the base OS libraries (e.g., libssl, libcurl) are at the latest patched versions.
• Rebuilding ClickHouse: Install only the ClickHouse binary and its essential runtime dependencies, avoiding bundled extras.
• Scanning the final image: Use a CVE scanner to verify that the image passes security gates before deployment.

The result is a ClickHouse container that runs identically but has a dramatically smaller CVE footprint—often zero critical or high vulnerabilities. For teams stuck in security review cycles, this offers a clear path to production without changing their application code or infrastructure.

— Need to dive deeper into a specific aspect? Use the anchor links above to jump to any question.