Most Container Images You Pull Today Are Already Full of Vulnerabilities

Container image security has quietly stayed stuck on the same problem it had a decade ago. Finding vulnerabilities is trivial — every major scanner returns pages of them from the average image pulled off a public registry. Remediating those findings at scale is where the wheels have kept coming off. Base images carry hundreds of packages nobody uses, upstream fixes lag by months, and platform teams end up rebuilding the same bloated containers over and over rather than solving the underlying supply chain.

John Morello, co-founder and CTO of Minimus and previously CTO at Twistlock, sat down with Alan Shimel to talk through why that pattern has persisted and what it takes to break it. Morello’s read on his Twistlock years is candid — scanning got very good, but remediation never caught up, and the industry ended up living with vulnerability sprawl as a fact of life. Minimus is his second attempt at the harder problem: building hardened, minimal Docker images directly from upstream source rather than shipping the world in every container.

Morello walks Shimel through the pipeline that makes that model work. The build system runs on GCP and GitHub, with AI-assisted tooling handling large chunks of the maintenance work that would otherwise require a full engineering org. The result is images that are dramatically smaller and carry a fraction of the vulnerability counts of standard equivalents. He also draws a sharp line on where AI now sits in the threat landscape — no longer theoretical, actively weaponized for vulnerability discovery, and rapidly closing the window defenders used to have between disclosure and exploitation.

The most uncomfortable part of the conversation is where Morello lands on the current state of the field. Even large, well-known enterprises and government cloud environments are still running outdated, unpatched images at scale — not because they don’t know, but because the remediation cost has been too high to sustain. Cutting that cost is what turns cloud-native security from a perpetual triage exercise into something an organization can actually get in front of, and it is where the next round of pressure on platform and security teams is going to land.

Alan Shimel

Alan Shimel is founder, CEO and editor-in-chief of Techstrong Group, a Futurum company, and a member of Futurum's executive leadership team. A technology entrepreneur, media executive and industry commentator, Shimel has spent more than three decades building businesses, communities and media platforms serving enterprise technology professionals, including co-founding StillSecure, a network security company, and the DevOps Institute, a DevOps certification and training body. At Techstrong, he leads a portfolio of media brands including DevOps.com, Security Boulevard, Cloud Native Now, Techstrong AI, Techstrong IT, Digital CxO, Platform Engineering, Techstrong Semi and Techstrong TV, along with a growing portfolio of events, educational programs and digital communities. With more than 25 years of experience in cybersecurity, Shimel is a familiar voice in the space and was an early advocate of the DevOps movement, helping bring DevOps practices into mainstream enterprise technology. His work today spans cybersecurity, DevOps, cloud-native technologies, artificial intelligence, semiconductors and digital transformation, and he hosts popular programs including Techstrong Gang, Shimmy Says and Still Cyber, After All These Years. He holds a Bachelor of Arts in Government and Politics from St. John's University and a Juris Doctor from New York Law School.

Alan Shimel has 116 posts and counting. See all posts by Alan Shimel