The latest State of Trusted Open Source report from Chainguard gives details on current industry thinking about vulnerabilities in container images and the long tail of open-source dependencies. The r

InfoQ is a leading online platform for software developers, architects, and technical leaders, providing news, articles, presentations, and interviews on a wide range of topics, including agile practices, DevOps, microservices, and emerging technologies. With a focus on quality content and expert insights, InfoQ helps professionals stay informed about the latest trends, best practices, and industry developments. Developers can learn from real-world experiences, gain  knowledge, and connect with peers in the global software community through InfoQ's diverse and engaging content.

InfoQ

Chainguard's State of Trusted Open Source report reveals that 98% of container vulnerabilities exist in long-tail images outside the top 20 most popular ones. While foundational images like Python, Node, and nginx dominate production usage, the majority of CVEs (10,785 instances) were found in the 1,436 less popular images that comprise over 61% of the average customer's manifest. The report shows Chainguard achieved sub-20-hour remediation times for critical CVEs, significantly faster than industry norms. Compliance requirements drive 44% of customers to use FIPS-compliant images. Multiple studies confirm this pattern, with Docker Hub containers averaging 604 known vulnerabilities and scientific container images averaging 460. The findings emphasize that security risk concentrates in overlooked dependencies rather than popular base images.

Chainguard Finds 98% of Container CVEs Lurking Outside the Top 20 Images