Most Container Images You Pull Today Are Already Full of Vulnerabilities
Container image security has quietly stayed stuck on the same problem it had a decade ago. Finding vulnerabilities is trivial — every major scanner returns pages of them from the average image pulled off a public registry. Remediating those findings at scale is where the wheels have kept coming off. Base images carry hundreds of packages nobody uses, upstream fixes lag by months, and platform teams end up rebuilding the same bloated containers over and over rather than solving the underlying supply chain.
John Morello, co-founder and CTO of Minimus and previously CTO at Twistlock, sat down with Alan Shimel to talk through why that pattern has persisted and what it takes to break it. Morello’s read on his Twistlock years is candid — scanning got very good, but remediation never caught up, and the industry ended up living with vulnerability sprawl as a fact of life. Minimus is his second attempt at the harder problem: building hardened, minimal Docker images directly from upstream source rather than shipping the world in every container.
Morello walks Shimel through the pipeline that makes that model work. The build system runs on GCP and GitHub, with AI-assisted tooling handling large chunks of the maintenance work that would otherwise require a full engineering org. The result is images that are dramatically smaller and carry a fraction of the vulnerability counts of standard equivalents. He also draws a sharp line on where AI now sits in the threat landscape — no longer theoretical, actively weaponized for vulnerability discovery, and rapidly closing the window defenders used to have between disclosure and exploitation.
The most uncomfortable part of the conversation is where Morello lands on the current state of the field. Even large, well-known enterprises and government cloud environments are still running outdated, unpatched images at scale — not because they don’t know, but because the remediation cost has been too high to sustain. Cutting that cost is what turns cloud-native security from a perpetual triage exercise into something an organization can actually get in front of, and it is where the next round of pressure on platform and security teams is going to land.


