Recent studies in the industry have discovered that a majority of production-deployed container images have critical security concerns. This article describes how the DevOps practice of soft and hard build exposures and the compliance gap describes the increasing necessity of a container strategy, and how compliance integrated within DevOps enhances risk management and regulation.

The flexibility of container technology offers the opportunity to build software, and is coupled with an increasing risk. Industry research illuminates significant concerns regarding the security of the software supply chain within cloud-native systems, according to Sysdig 2023 Cloud-Native Security and Usage Report. 

Understanding the Growing Importance of Secure Containers

Secure containers only include elements crucial for the desired function of an application. In most containers, tool kits, libraries, package managers, etc., are included, but these are often the most vulnerable pieces of software, adding potential sources of attack. Insecure containers use these bundle images because they are cheaper and more convenient. However, containers hold more software, and therefore hold more known Common Vulnerabilities and Exposures (CVEs) for attackers to exploit.

In risky environments that include a combination of proprietary and open source software, securely designed containers are preferable. With minimal design, the target becomes more difficult, and adversaries have less to exploit. This container minimalism is a welcome shift as more and more secure containers are viewed as a baseline rather than an afterthought. Components of a container that can easily be scanned are those that are not fundamental to the purpose of the container, enabling a more easily scanned image.

Correctly constructed, minimal and hardened containers can contribute to greater visibility and transparency. Many teams producing images also produce a Software Bill of Materials (SBOM) and cryptographic build provenance. These, in conjunction with other security and compliance measures, support a transparent view of what is deployed, help align the deployed code to compliance obligations, mitigate the incidence of false positive alerts, and expedite the resolution of alerts.

How Minimal Images Reduce Vulnerabilities in DevOps

There are fewer opportunities for container images to be attacked when there are fewer components present. Recent studies have shown that the container ecosystem has a number of advantages. Minimal and hardened images show a high degree of reduction in the number of vulnerabilities. In some situations, there are reductions of 95 per cent when compared to community images that contain full operating system stacks, developer tools, and images (InfoQ 2025).

Fewer vulnerabilities mean less noise during automated scans and a reduction in work for security teams. Images that are used in the community for building and operating applications contain hundreds of known vulnerabilities as they are being prepared for production. This is a main source of noise for engineers as they have to review alerts that vary in severity. In contrast, minimal images contain fewer vulnerabilities.

Minimal container images also assist DevOps engineers in avoiding ransomware attacks. When container images are left large, they may cause teams to misallocate their resources, as they are believed to contain a high concentration of potential exposed vulnerabilities. Once unnecessary components are stripped away, engineers are left with only the critical exposed vulnerabilities. This reduced the amount of work that engineers have to perform. When images are smaller, the overall delivery pipeline can be slimmer.

Smaller images also speed up deployment pipelines. They need less network bandwidth and less computing power to pull and start. This leads to shorter feedback loops and closer integration with continuous delivery.

Integrating Compliance Into DevOps Workflows

Compliance checks can be tedious and time-consuming for software delivery. They are conducted periodically as a software audit or pre-release gate, and almost always occur at the end of the delivery cycle. Compliance checks can be more effective and ensure software delivery is more timely if they are conducted at the start of the cycle. This means that if a software developer’s policy is violated, they catch this at the beginning of the build phases.

Automated blocks for noncompliance can catch configuration errors or missing artefacts prior to testing or production. Compliance checks can be versioned and edited just as application code is edited and versioned. Acceptable base images, required SBOMs, and allowable vulnerability thresholds are just a few of the controls that stop the software code and execute tests.

Regulated environments are often viewed as high-risk areas by development and audit teams. Automated compliance can reduce the visibility and audit effort of regulatory frameworks. Automated pipeline compliance can reduce friction with early auditors and even result in better automated tests.

When policy violations happen during staging or pre-production, teams have the opportunity to rectify them before they become ingrained. This approach helps to eliminate the need for major rework and integrates risk management into the quicker delivery cycles.

Best Practices for Protecting Software Supply Chains

Defending container-centric software supply chains must be done in a few steps. First, starting with minimal images helps by lowering the number of initial vulnerabilities. Second, automating the tracking of compliance and vulnerabilities paves the way to catch violations during the delivery pipeline. Third, clear policies must be put in place to protect the defined safety margins, and compliance must be coded into the workflows of the developers and DevOps engineers.

To minimize the consequences of a breach during runtime, a least-privilege approach should be applied. This means containers should operate with the lowest number of required permissions, and processes should be kept at a lower privilege, if at all. The combination of these runtime limitations and thorough image auditing enables the minimization of both build-time and run-time risks.

devopsschool