[Feature Request]: Remediate 100+ vulnerabilities in air-gapped docs image

[pathoge]

Prerequisites

• I have searched existing issues to ensure this feature hasn't already been requested
• I have tested using the latest version of docs-builder

What problem are you trying to solve?

Customers of Elastic may request a built docs image for them to run on their own air-gapped networks. This is mostly common in public sector highly sensitive environments where customers may not have access to the Internet and so having the docs on their own network allows users a much better experience.

These customers also have highly regulated security controls. Currently the docs-private/air_gapped image contains over 100 vulnerabilities and is causing at least one large customer to fail a security scan.

Elastic has done a great job of lowering the number of vulnerabilities in Docker images in recent months. It would be great to extend this security posture effort to the air-gapped docs image as well.

Proposed Solution

Remediate all vulnerabilities in the air-gapped docs image.

Examples and Research

Alternative Solutions

No response

Additional Context

No response

How important is this feature to you?

Critical

[reakaleek]

@pathoge Thank you for the issue.

So, if I understand this correctly, you need this for the existing air gapped docs image?

But you don't need it for the new docs system hosted on https://www.elastic.co/docs?

[pathoge]

@reakaleek Correct, this is regarding the existing air-gapped docs image. If there are plans to deprecate that and only maintain the new system at some point, then we would want it for the new system as well eventually. (I'm not privy to the plans for the old vs. new)

[Mpdreamz]

This repository is only for the new docs 😄 the old docs are in maintenance mode.

I have done some work on the old docs to update all dependencies (and the image itself) here: elastic/docs#3102 however it will be sometime before I can come back to that.

For the new docs all our images are distroless and only contain our tooling as native code. We will use this ticket to publish an airgapped docker image of the new docs.

[reakaleek]

Sorry, I told @pathoge to create the issue here. I actually thought it's for the new system.

But creating one for the new system might not fulfill the use case if the customer is still on 8.x or lower.

[pathoge]

In the short term until the new docs system has an air-gapped release mechanism, would it be reasonable to finish the work started in elastic/docs#3102 to update the base image and other packages in order to harden the old docs version? We have several large government and enterprise customers who use the air-gapped release docs and one in particular is completely down right now due to failing a vulnerability scan. They had to shut the docs down. These users don't always have unfettered internet access so the air-gapped docs are a lifesaver for developer and users/analysts. Please feel free to ping me in Slack and I can provide account information, Salesforce links, or anything else for justification.