Overcoming Container Security Scans: Deploying ClickHouse with Docker Hardened Images

The Security Block That Stops Deployments

In late 2025, a team preparing to run Langfuse—an open-source LLM observability platform—on Kubernetes uploaded their ClickHouse image to Amazon ECR. The pipeline scanner flagged three critical vulnerabilities. None were in ClickHouse itself; they were in the underlying base image. The security team promptly blocked the image from reaching production, citing the CVEs as unacceptable risks.

This scenario is all too common in enterprise environments. A container that functions perfectly gets held back not because the application is broken, but because a scanner discovered CVEs in packages the application never even uses. Teams then spend hours investigating the findings, drafting risk exceptions, and arguing with security—only to be rejected because the vulnerabilities are technically real, even if irrelevant to the workload.

This article explains how Docker Hardened Images (DHI) can break that cycle. We'll focus on ClickHouse, one of the most popular database containers on Docker Hub, and show how a hardened image can satisfy security scanners without compromising performance.

A Closer Look at ClickHouse

ClickHouse is an open-source columnar database built for analytical workloads at scale. It can query billions of rows and return results in milliseconds, outperforming traditional row-oriented databases in speed. Major companies like Cloudflare, Uber, and Spotify rely on ClickHouse in production. With over 100 million pulls from Docker Hub, it has become the default choice for teams needing high-throughput analytics.

However, the default ClickHouse Docker image prioritizes developer ease-of-use over enterprise security. It includes many packages that are unnecessary for the database's core function, creating a large attack surface and triggering false positives in security scans.

How ClickHouse Is Structured

To understand why the base image matters, let's quickly review ClickHouse architecture. SQL queries arrive over HTTP (port 8123) or TCP (port 9000). The query optimizer parses them into an abstract syntax tree, prunes it, and passes the work to the pipeline executor, which distributes tasks across parallel threads. The heart of ClickHouse is the MergeTree storage engine, which stores data in columnar .bin files. It uses a sparse primary index to skip irrelevant granules, and background merge processes compact parts to maintain query performance. Storage is pluggable—local disk, S3, HDFS—but the core engine remains the same.

None of these components depend on the extra packages found in the default base image. This is why Docker Hardened Images can remove those packages without impacting ClickHouse's functionality.

What Are Docker Hardened Images?

Docker Hardened Images are container images that have been stripped of unnecessary components: unused libraries, utilities, shell access, and package managers. They apply principles like minimalism, reduced attack surface, and adherence to CIS benchmarks. For ClickHouse, a hardened image typically starts from a minimal base (like Alpine or a distroless image) and includes only the binaries and dependencies required to run the database.

By removing extraneous packages, hardened images eliminate most non-application CVEs that trigger security scanners. The team that got blocked in the opening example could have avoided the headache entirely by using a ClickHouse DHI.

Benefits of Using ClickHouse Hardened Images

• Fewer false positives: With fewer packages, scanners report far fewer CVEs. Many teams report zero critical vulnerabilities after migration.
• Smaller image size: Hardened images can be 80–90% smaller than the default, reducing storage and transfer costs.
• Faster deployment: Smaller images pull and start faster, especially in Kubernetes environments.
• Compliance ready: Satisfies enterprise security requirements without requiring long exception processes.

How to Get ClickHouse Hardened Images

Several options exist. The ClickHouse project itself may offer hardened variants, or you can build your own using a Dockerfile that starts from a minimal base and copies in the ClickHouse binaries. Alternatively, third-party vendors (like the ones behind DHI) provide pre-built hardened images that are regularly scanned and updated.

When building your own, ensure you:

1. Start with a minimal base image (e.g., alpine:3.19 or gcr.io/distroless/static).
2. Install only the exact ClickHouse version and its direct dependencies.
3. Remove package managers, shells, and any development tools.
4. Scan the resulting image with your enterprise scanner before deployment.

Real-World Impact

The team from the GitHub issue (#286, November 2025) could have avoided the blockage by adopting a hardened image. Instead of spending days on risk assessments, they could have pushed a DHI to their registry and passed the security scan immediately. This is the reality for many enterprises: the gap between developer-friendly images and security-ready images is bridged by hardening.

Conclusion

ClickHouse is a powerful analytical database, but its default Docker image often fails enterprise security gates due to unnecessary packages. Docker Hardened Images solve this by stripping away everything that isn't needed, leaving only the components that matter. When your security team blocks a deployment because of CVEs in the base image, the answer isn't to argue—it's to switch to a hardened image that aligns with both performance and security requirements.