The Real-World Problem: Security Scanners Blocking Deployments
In November 2025, a team self-hosting Langfuse, an open-source LLM observability platform, on Kubernetes pushed their ClickHouse image to AWS ECR as part of production preparation. The pipeline scanner flagged three critical vulnerabilities—not in ClickHouse itself, but in the underlying base image. The security team immediately blocked the deployment, citing valid CVEs even though they were irrelevant to the workload. This scenario is all too common in enterprise environments: a perfectly functional container is held up because of packages the application never touches, leading to hours of investigation, risk exceptions, and frustration.
This article delves into how Docker Hardened Images (DHI) can break this cycle. We'll focus on ClickHouse, one of the most widely pulled database images on Docker Hub, and explain how a hardened base image prevents such blockers from derailing production readiness.
Understanding ClickHouse's Architecture
ClickHouse is an open-source columnar database built for analytical workloads at scale. It excels at querying billions of rows and returning results in milliseconds—something traditional row-oriented databases struggle to match. Companies like Cloudflare, Uber, and Spotify run ClickHouse in production, and with over 100 million Docker pulls, it's the default choice for teams needing serious analytics throughput. However, its default security posture prioritizes developer ease-of-use over the hardening required by enterprise production environments. That gap is where trouble begins.
Layered Design for Speed
ClickHouse follows a layered architecture designed for analytical performance. SQL queries arrive over HTTP (port 8123) or TCP (port 9000), then pass through the optimizer, which parses them into an abstract syntax tree (AST) and prunes unnecessary parts. The pipeline executor then picks up the optimized plan and distributes work across parallel threads.
The MergeTree Engine at the Core
Beneath the query layer lies the MergeTree storage engine—the heart of ClickHouse. It stores data in columnar .bin files and uses a sparse primary index to skip irrelevant granules without reading entire columns. Background merge processes compact parts over time, maintaining query performance. At the bottom, storage is pluggable, supporting local disk, S3, HDFS, and more.
How Docker Hardened Images Resolve the Issue
Docker Hardened Images (DHI) address the root cause of such security blocks: unnecessary packages in the base image that introduce CVEs. DHI strips away components not needed for ClickHouse, like non-essential libraries, package managers, and shell utilities. This minimal attack surface means fewer false positives from scanners, and critical updates are applied in advance. The result is an image that passes security scans without requiring risk exceptions or manual approvals.
For teams using ClickHouse in production, switching to a hardened image eliminates a common pain point. Instead of investigating irrelevant CVEs, engineers can focus on what matters: performance tuning, scaling, and feature development. The Langfuse team could have moved to production immediately if they had started with a hardened base.
Practical Implementation Steps
- Identify the official ClickHouse hardened image from a trusted provider (e.g., Docker's DHI registry).
- Update your Kubernetes manifests to reference the hardened image instead of the standard one.
- Re-run your security pipeline; the number of CVEs should drop significantly.
- If any remain, they are likely true positives relevant to your workload and can be addressed.
Conclusion
Security scanners are essential for production deployments, but they can create unnecessary friction when base image vulnerabilities aren't relevant. Docker Hardened Images provide an elegant solution by eliminating the cruft that triggers false positives. For ClickHouse users, adopting a hardened image is a straightforward way to move from "security blocked" to production ready—without compromising safety or speed.