Your Container Images Are a Liability: The Supply Chain Debt Nobody Is Paying Down
COSCUP 2026
Abstract
Every container you deploy carries debt you didn't write. The average base image ships with 200-400 packages your application never calls, each one a potential CVE, each one expanding the blast radius of a breach. Teams run Trivy or Grype, get a wall of 400 alerts, patch the criticals, suppress the rest, and ship. The scan-patch-suppress cycle creates an illusion of security hygiene while the actual attack surface stays enormous. The good news: the ecosystem is finally pushing back. Google's distroless project has been around for years, Chainguard built a business on minimal images, and Docker Hardened Images went fully open source under Apache 2.0 in late 2025, putting 1,000+ minimal, SBOM-signed images one pull away from every developer. Yet most teams still default to node:latest. This talk dissects why container supply chain debt accumulates and what a different default looks like. Through live audits comparing standard, slim, distroless, and hardened base images for the same application, we'll examine size, CVE counts, and actual runtime dependencies. You'll leave with practical patterns: multi-stage builds done right, automated base image rebuild pipelines, and policy-as-code for image provenance, so minimal becomes the default without slowing teams down.
More Talks
- Conference
YAML is the New Dockerfile: Building AI Agent Systems with Docker cagent
COSCUP 2026 · Taipei, Taiwan
- Conference
Squeezing Every Millisecond: A Practical Guide to Optimizing Time To First Token with OSS Muscle
Open Source Summit Korea 2026 · Seoul, South Korea
- Conference
Open Source is Not the Same Anymore
Open Source India 2026 · Mumbai, India
- Conference
Accelerating CI Pipelines: Rapid Kubernetes Testing with vCluster
FOSDEM 2025 · Brussels, Belgium