OpenEMR 8.2 on OpenShift: Zero CVEs, One Command
Healthcare IT has a dirty secret: the software that runs your doctor’s office is often the least secure software in the building.
Electronic medical records systems are frequently deployed on aging servers, patched irregularly, and shipped in container images that light up a vulnerability scanner like a Christmas tree. For an industry governed by HIPAA, that’s not a technical debt problem — it’s a patient trust problem.
That’s the villain. Here’s the hero.
OpenEMR 8.2, containerized, clean
I’ve just updated my openemr-on-openshift project to OpenEMR 8.2, and the container image scans completely clean — 240 packages, zero CVEs — in Quay.io’s Clair security scanner.
Not “zero criticals.” Not “nothing exploitable.” Zero findings across every OS package in the image.
That’s rare for any application image. For a full EMR stack — PHP 8.5, web server, healthcare integration libraries and all — it’s practically unheard of.
How the image stays clean
Three things make this possible:
1. A minimal, current base. The image is built on CentOS Stream 10 with PHP 8.5 — a current foundation, not a years-old snapshot. Most image CVEs don’t come from the application; they come from the OS packages underneath it. Start current, stay current.
2. Continuous rebuilds, not one-time builds. The image on Quay.io is rebuilt as upstream fixes land, so a clean scan today doesn’t decay into a vulnerable image six months from now. Every tag — 8.0 through 8.2 — carries a passing scan.
3. OpenShift’s security posture by default. The deployment runs as a non-root, arbitrary UID under OpenShift’s restricted Security Context Constraints. No privileged containers, no root filesystem writes outside designated volumes, TLS-terminated routes out of the box. The platform enforces what policy documents can only request.
Deploying it
The whole stack — OpenEMR 8.2, MariaDB 11.8, and Redis — deploys with a single script:
git clone https://github.com/ryannix123/openemr-on-openshift.git
cd openemr-on-openshift
./deploy-openemr.sh
It auto-detects your cluster’s default storage class, generates credentials, and works identically on the free Developer Sandbox, Single Node OpenShift, or a full production cluster. Five minutes later you have a running EMR with persistent storage and an HTTPS route.
What a clean image scan does — and doesn’t — cover
Honesty matters here, so let’s be precise about the claim.
Registry scanners like Clair inspect the packages in the image: the operating system, language runtimes, and system libraries. They do not audit OpenEMR’s own PHP codebase or its bundled Composer dependencies. Application-level vulnerabilities in OpenEMR itself are disclosed and patched by the OpenEMR project on its own cadence — that’s a separate layer of your security program, covered by tracking upstream security releases and updating promptly.
The good news: this architecture makes that easy. Because the application is delivered as an immutable container image, adopting an OpenEMR security release isn’t a patch window on a pet server — it’s a rebuild and a rolling deployment. The same pipeline that keeps the OS layer at zero CVEs keeps the application layer current.
Image scanning tells you your foundation is clean. Upstream tracking keeps the house on top of it sound. You need both, and this project is built for both.
Why this matters
If you’re evaluating open-source EMR options — for a clinic, a research project, or a lab environment — the security of the supply chain matters as much as the feature list. A zero-CVE image means your vulnerability management program starts at zero findings instead of starting with an exception request.
And if you’re running OpenShift, it means an EMR deployment that passes your image-scanning admission policies on day one, with no waivers.
Clean foundation. One command. Enterprise platform.
The code, the image, and the deployment script are all public:
- GitHub: github.com/ryannix123/openemr-on-openshift
- Quay.io: quay.io/repository/ryan_nix/openemr-openshift
I work for Red Hat and this is a personal open-source deployment project.

