In late 2025, a team self-hosting Langfuse on Kubernetes encountered a frustrating roadblock: their ClickHouse container, uploaded to AWS ECR, was flagged with three critical vulnerabilities. Not in ClickHouse itself, but in its underlying base image. Their security team promptly blocked the deployment, halting production readiness. This scenario is all too familiar for enterprises relying on container scanners—a perfectly functional app gets denied because of CVEs in packages it never touches. The solution? Docker Hardened Images (DHI). This guide outlines five key insights to navigate this challenge and get your ClickHouse instance past security gates.
1. The Real Problem: Base Image Vulnerabilities
When scanners analyze container images, they examine every installed package—not just the application. ClickHouse's official Docker image includes a full OS distro (like Ubuntu or Alpine) with hundreds of libraries. Many are unused by ClickHouse but still carry CVEs. Security teams often enforce strict policies: any critical or high vulnerability blocks deployment, regardless of exploitability. This leads to lengthy exception requests and delays. Understanding that the fault lies in the base image, not ClickHouse, is step one. The fix isn't patching ClickHouse; it's choosing a leaner foundation.
2. Why ClickHouse Images Are Prone to CVEs
ClickHouse is a high-performance columnar database used by Cloudflare, Uber, and Spotify for analytics. Its layered architecture—SQL query optimizer, pipeline executor, MergeTree storage engine, and pluggable storage—is efficient but packaged with a standard OS for ease of development. This includes utilities, compilers, and networking tools that are unnecessary in production. For example, the image may include `curl` or `bash`, which are safe in development but flagged as vulnerability vectors. The MergeTree engine stores data in columnar `.bin` files with a sparse primary index; none of that needs a full OS. By trimming the base, you reduce the attack surface significantly.
3. What Docker Hardened Images Actually Do
Docker Hardened Images (DHI) strip away all non-essential components. Built on minimal bases like Distroless or scratch, they contain only the application binary and its runtime dependencies. No shell, no package manager, no extra libraries. For ClickHouse, this means a container with just the `clickhouse-server` binary, configuration files, and essential system libraries. Security scanners see almost zero CVEs because there are no packages to scan. DHIs are not just smaller—they are inherently more secure. They also comply with strict enterprise policies like PCI-DSS or SOC 2, which demand minimal attack surface.
4. How DHI Unblocks ClickHouse Deployments
In the Langfuse case, switching from the default ClickHouse image to a hardened version eliminated the critical CVE flags. The security scanner returned a clean bill of health because the base image had no extraneous packages. The deployment proceeded without exceptions or delays. By using DHI, teams avoid the cycle of investigating false positives, writing risk exceptions, and waiting for security approvals. Moreover, hardened images often improve startup times and reduce resource usage—a win-win for both security and performance. For ClickHouse, which benefits from fast query execution, a lean container minimizes overhead.
5. Best Practices for ClickHouse with Hardened Images
To adopt DHI for ClickHouse, first verify whether an official hardened image exists (e.g., clickhouse/clickhouse-server:hardened) or build your own using a minimal base. Use multi-stage Dockerfiles to copy just the binary. Test thoroughly: ensure configurations, ports (8123 HTTP, 9000 TCP), and storage mounts (local disk, S3, HDFS) work. Automate scanning in CI/CD to catch any new vulnerabilities. Finally, monitor upstream patches—even hardened images need updates. By integrating DHI into your pipeline, you maintain security compliance without sacrificing ClickHouse's analytical speed. Implement these practices and watch deployment blocks disappear.
Conclusion: Docker Hardened Images offer a pragmatic solution to the common security scanner deadlock. By eliminating unnecessary base image packages, they remove CVE noise without compromising ClickHouse's functionality. Teams can deploy faster, satisfy security policies, and focus on analytics. Whether you're running ClickHouse for observability, real-time dashboards, or large-scale log analysis, adopting DHI is a critical step toward production readiness. Start with these five insights and transform your deployment workflow.