Minimus maintains and regularly publishes security vulnerability information for MinimOS packages - the building blocks used to create Minimus Images. These security updates are published to the Minimus Advisories Feed and can be used to integrate with third-party scanners in order to avoid false-positive reports for Minimus Images. Without the integration, the scanner may report false-positives for packages determined to be unaffected.

This guide includes two sections:

  • The current page explains what the Minimus Advisories Feed is, where it is published, and in what formats.
  • Scanning implementation is a guide on how to integrate scanners with the Minimus Advisories Feed.

About MinimOS packages

A vulnerability advisory is published per origin package, so before we can discuss the Minimus Advisories Feed, we must establish the basics about MinimOS packages.

MinimOS distro

Minimus Images are a collection of private container images hosted by the Minimus registry.
Minimus images are built using packages built by the Minimus proprietary enterprise package repository known as MinimOS.

MinimOS is a contemporary, open-source Linux distribution designed specifically to create secure and minimal container images. It doesn’t provide a kernel; instead, it’s a curated set of software packages intended for use on Linux environments. MinimOS packages are directly built and maintained by Minimus and frequently scanned for vulnerabilities.

Packaging format

MinimOS packages follow the APK specification. Each package is distributed as an .apk file, with installations handled by the apk tool or a compatible library.

A list of all installed distribution packages can be found on the filesystem at /lib/apk/db/installed.

About the Minimus Advisories Feed

Minimus maintains and regularly publishes security vulnerability information for MinimOS packages.

MinimOS advisory data

The Minimus security team thoroughly reviews potential vulnerabilities across packages. The findings are compiled as advisory data, which act as the authoritative references for vulnerability assessment.

Advisory data is the foundation for producing various types of downstream data, including security feeds consumed by vulnerability scanners.

Minimus publishes its advisories feed in 2 formats:

  • SecDB at https://packages.mini.dev/advisories/secdb/security.json
  • OSV at https://packages.mini.dev/advisories/osv/all.json

The feeds are public and can be used to integrate with scanners as explained below.

Update frequency

Both SecDB and OSV feeds are updated promptly, often several times a day, as new vulnerability information becomes available.

SecDB security feed

SecDB is a JSON-formatted file aligned with the same schema used by Alpine Linux’s security feeds.

The MinimOS SecDB feed can be found at:
https://packages.mini.dev/advisories/secdb/security.json.

The SecDB JSON contains several properties, but the most relevant for scanners is the packages array. Each item describes a package with:

  • A name string (the APK origin package name).
  • A secfixes object mapping versions to the list of vulnerabilities fixed in that version.

Below is an example snippet from the MinimOS SecDB. It shows the caddy package at version 2.8.4-r1 resolves 4 specific vulnerabilities and version 2.9.0-r0 resolves 2 other vulnerabilities:

{
  "apkurl": "{{urlprefix}}/{{reponame}}/{{arch}}/{{pkg.name}}-{{pkg.ver}}.apk",
  "archs": [
    "x86_64",
    "aarch64"
  ],
  "reponame": "os",
  "urlprefix": "https://packages.mini.dev",
  "packages": [
    {
      "pkg": {
        "name": "caddy",
        "secfixes": {
          "2.8.4-r1": [
            "CVE-2024-45337",
            "CVE-2024-53259",
            "GHSA-px8v-pp82-rcvr",
            "GHSA-v778-237x-gjrc"
          ],
          "2.9.0-r0": [
            "CVE-2024-45338",
            "GHSA-w32m-9786-jp63"
          ]
        }
      }
    },
    // ...

The MinimOS SecDB feed is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0).

OSV security feed

Minimus also offers an OSV-formatted feed as an alternative. While secdb is specific to Alpine, OSV is a popular standard, offering richer metadata about vulnerabilities and their impact on artifacts like APKs. Learn more about OSV

The MinimOS OSV feed can be found at:
https://packages.mini.dev/advisories/osv/all.json.

The OSV feed lists IDs of advisories and their modification date, for example:

  {
    "modified": "2025-02-09T14:09:18Z",
    "id": "MINI-xxrx-crr8-74g3"
  },
  {
    "modified": "2025-04-23T06:57:04Z",
    "id": "MINI-xxvv-4c5g-xvr9"
  }

Each MinimOS advisory is published individually at a stable link https://packages.mini.dev/advisories/osv/{Advisory ID}.json. For example:
https://packages.mini.dev/advisories/osv/MINI-xxrx-crr8-74g3.json.

The MinimOS OSV feed is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0).

Testing

To standardize testing, Minimus provides a sample image on Docker Hub.