This interview was recorded for GOTO State of the Art in November 2025.
https://gotopia.tech

Read the full transcription of this interview here:
https://gotopia.tech/articles/425

Adrian Mouat - Developer Relations at Chainguard & Author of 'Using Docker'
Charles Humble - Freelance Techie, Podcaster, Editor, Author & Consultant

RESOURCES
Adrian
https://bsky.app/profile/adrianmouat.com
https://twitter.com/adrianmouat
https://github.com/amouat
https://linkedin.com/in/adrianmouat
http://www.adrianmouat.com

Charles
https://bsky.app/profile/charleshumble.bsky.social
https://linkedin.com/in/charleshumble
https://mastodon.social/@charleshumble
https://conissaunce.com

Links
https://images.chainguard.dev
https://www.cisa.gov/sbom
https://www.chainguard.dev/supply-chain-security-101/the-npm-registry-cant-protect-you-the-new-javascript-supply-chain-attacks
https://oxide-and-friends.transistor.fm/episodes/discovering-the-xz-backdoor-with-andres-freund
https://edu.chainguard.dev

DESCRIPTION
In this State of the Art episode, Charles Humble speaks with Adrian Mouat, Developer Relations at Chainguard and author of "Using Docker", about the evolution of container security and the persistent challenge of outdated packages.

Adrian explains how traditional Linux distributions weren't designed for the immutable, frequently-replaced nature of containers, leading to security vulnerabilities that scanners detect but teams struggle to address. He discusses how Chainguard tackles this problem by building everything from source using Wolfi, creating minimal "distroless" images with near-zero CVEs, and how concepts like SBOMs, attestations, and defense in depth are reshaping security practices.

The conversation also covers major security incidents including the XZ Utils backdoor and Shai-hulud attacks, emphasizing the importance of building from source, using short-lived credentials, and replacing rather than updating containers – practices pioneered by companies like Google that are gradually spreading across the industry.

RECOMMENDED BOOKS
Adrian Mouat • Using Docker • https://amzn.to/3PEYIJL
Liz Rice • Container Security • https://amzn.to/3oU4iJe
Liz Rice • Kubernetes Security • https://www.oreilly.com/library/view/kubernetes-security/9781492039075


Bluesky (https://bsky.app/profile/gotocon.com) 
Instagram (https://www.instagram.com/goto_con) 
LinkedIn (https://www.linkedin.com/company/goto-) 
Facebook (https://www.facebook.com/GOTOConferences) 

CHANNEL MEMBERSHIP BONUS
Join this channel to get early access to videos & other perks:
https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/join

Looking for a unique learning experience?
Attend the next GOTO conference near you! Get your ticket: gotopia.tech (https://gotopia.tech) 

SUBSCRIBE TO OUR YOUTUBE CHANNEL (https://www.youtube.com/user/GotoConferences/?sub_confirmation=1)  - new videos posted daily!

GOTO's resource offers insights, tutorials, and resources for software developers, architects, and technology leaders. Readers can learn about emerging technologies, industry trends, and best practices for software development. With articles, talks, and workshops, GOTO provides  guidance and expertise for staying ahead in the ever-evolving world of technology.

GOTO Conferences

A podcast conversation between Charles Humble and Adrian Mouat (DevRel at Chainguard) covering the current state of container security. Topics include why base images accumulate CVEs, how vulnerability scanners work and their signal-to-noise problem, the origins of Google's distroless project and how Chainguard extended it with Wolfi (a custom Linux distribution built from source), the role and current limitations of SBOMs and attestations, and practical security recommendations such as image immutability, signing with Sigstore, running non-root, minimizing image size to reduce attack surface, and using short-lived credentials. The discussion also covers real-world supply chain attacks including the Shyalad npm worm and the XZ Utils backdoor, and how building from source rather than consuming tarballs or published packages mitigates certain supply chain risks.

State of the Art of Container Security • Adrian Mouat & Charles Humble