The New Stack is a publication covering trends and technologies in cloud-native development, DevOps, and software delivery. Developers can learn about containerization, Kubernetes, and cloud computing, as well as explore topics such as microservices architecture, serverless computing, and continuous integration/continuous delivery (CI/CD) pipelines.

The New Stack

Container image vendors pursuing zero-CVE images face structural challenges with traditional Linux distributions. Chainguard rebuilds containers directly from source when upstream changes occur, while Docker's Hardened Images rely on Debian/Alpine upstreams. The debate centers on whether Debian's "no-DSA" triage decisions—which defer non-critical fixes—should suppress CVEs in scanner output via VEX documents. Three specific glibc and ncurses CVEs remain unpatched in Debian-based images despite upstream fixes being available. Beyond vendor approaches, the CVE system itself faces criticism: vulnerabilities lack deployment context, and up to a third may be invalid or gaming-motivated. Zero-CVE counts help but don't guarantee complete safety without proper threat modeling and contextual risk assessment.

The hunt for truly zero-CVE container images