The security report for the Solr Operator Docker image on it's ArtifactHub page is not very good. This is due mostly to the fact that the base image contains multiple known vulnerabilities.

The current base image is gcr.io/distroless/base:debug-nonroot, and the vulnerabilities come from the fact that we are using the base image, not because it's a debug image. If we instead use gcr.io/distroless/static:debug-nonroot, these vulnerabilities go away.

The base image isn't the whole story. Some of the GoLang libraries that the Solr Operator depends on contain vulnerabilities as well, however removing those will require an upgrade of Kubernetes versions which we cannot currently do. Solving the base-image is the first, and larger, step.