GitHub actions package has vulnerabilities

[kantkrishan]

Describe the bug
I’m trying to build a Docker image using the GitHub Actions runner as the base image. After building it, I scan the image with Twistlock, which identifies several vulnerabilities listed in the “What's not working” section.

The Dockerfile includes the following commands:

FROM ghcr.io/actions/actions-runner:latest

USER runner

To Reproduce
Steps to reproduce the behavior:

1.	Use the provided Dockerfile to build the image.
2.	Scan the image using Twistlock.
3.	Observe the reported vulnerabilities.

Expected behavior
The image should not contain critical or high-severity CVEs.

Runner Version and Platform

2.320.0

OS of the machine running the runner? OSX/Windows/Linux/...
Linux

What's not working?

Several high-severity vulnerabilities are detected. We would like to avoid the presence of critical and high-severity CVEs. Below are the details of these vulnerabilities—please assist in resolving them in a future version:
CVE-2023-42282 - Critical
CVE-2023-50782 - high
CVE-2023-49083 - high
CVE-2022-29217 - high
CVE-2022-25883 - high
CVE-2019-0981 - high
CVE-2019-0980 - high
CVE-2023-0286 - high

Job Log Output

Not necessary.

Runner and Worker's Diagnostic Logs

Not required.