What We Discovered Analyzing the Top 100 Public Container Images

Complexity abounds in modern development
Ayse Kaya
Oct 13, 2021

First reported in VM Blog

Download the full report here (registration required).

Containers are ubiquitous in modern development.

Between 2020 and 2021, the number of all-time pulls on Docker Hub nearly tripled, from 130 billion to 318 billion. That level of growth is astounding, especially when you consider that it took more than six years to achieve the first 130 billion and that some estimates say Docker Hub, while still the most popular container registry, is home to just half of the world's containers.

Containers have become the norm for application development, with the massive developer adoption of cloud native apps and containerized workflows. The result: millions of public image repositories. And with more than eight million public container images on Docker Hub alone, the container landscape continues to get more complex, more specialized, and more difficult to secure.

At Slim.AI—our startup that's focused on developer experience around container best practices—we have container enthusiasts using our various tools everyday, scanning containers, optimizing them, and sharing their experience with us.

We thought it would be interesting to find out what's inside the public images that serve as starting points for nearly all modern software development.

So, we looked.

Download the full report here (registration required).

A brief of summary of findings:

Finding 1: Bloated Containers Are a Time Sink in CI/CD

Our analysis showed a nearly perfect correlation between container size and scan time.This number may seem trivial for shipping a single container to production, but multiplied by the thousands of images used in a typical organization and hundreds of developers shipping images multiple times a day, it means real productivity losses.

A 1GB container takes approximately 6X longer to scan than a 200 MB container.

For a typical development team, this could conservatively mean 160 wasted hours per year.*

Finding 2: Complexity hinders clear understanding, even for experts

Our analysis shows that understanding the composure of both general and special purpose containers requires massive effort. We looked at distributions of packages, licenses and special permissions across all categories expecting large outliers, but even the averages were surprisingly high. It is typical to see hundreds of packages even in small, special purpose containers. And as we explore larger images in more generic categories, these numbers explode.

Finding 3: Attack surface is more than just a vulnerability count

We looked at “attack surface” — not just vulnerabilities found in a container scan, but the combination of known vulnerabilities, their criticality, files in the container with special permissions, and total number of packages (i.e., potential Zero Day vulnerabilities) — and saw a wide spread among categories and containers within categories. To us, this implies a required (and presumably manual) step in the “getting dev containers ready for production” process that many teams may ignore.

Download the full report here (registration required).

Want to discuss these findings with fellow container enthusiasts? Join us on Discord at: https://discord.gg/uBttmfyYNB.

Related Articles

5 Common Container Exploits

From Malware, to Access Control Risks, and Beyond

Chris Tozzi

Contributor

Container Insights: Dissecting the World's Most Popular Containers

Join Ayse Kaya in this series, as she creates her 2022 Container Report Chalk Full of Important Security Findings for Developers.

Ayse Kaya

Analytics & Strategy

2022 Public Container Report

Vulnerabilities continue to increase and developers are struggling to keep up.

Ayse Kaya

Analytics & Strategy

Five Things You Should Never Ship to Production in a Container

Here is our take on five things to avoid when creating a container or shipping it to production.

Chris Tozzi

The 4th S of Software Supply Chain Security

An approach to Front Line Software Supply Chain Security (SSCS).

John Amaral

CEO

Using AppArmor and SecComp Profiles for Security Audits

Conduct better container security audits using tools like SecComp, NGINX, and Docker.

5 Best Practices Production-Ready Containers

Knowing what’s in a container is critical to securing your software supply chain.

Martin Wimpress

Community

Better Security Audits with AppArmor and SecComp via SlimToolkit

Combine the power of tools like SecComp, NGINX, and Docker.

5 Most Commonly Asked SlimToolkit Questions

We enlisted SlimToolkit expert and Slim.AI Developer Experience Engineer to dive into how container slimming works.

Primož Ajdišek

Technical Staff

5 Ways Slim Containers Save You Money

Do slim containers really save you money on your cloud bill? Are there cost advantages to smaller containers? Find out here.

Chris Tozzi

Automating SlimToolkit in Your CICD Pipeline

Using GitHub Actions, you can refine container images automatically making them smaller, faster to load, and more secure by default – all without sacrificing any capabilities.

Nicolas Bohorquez

Contributor

Building Apps Using Cloud Native Buildpacks

Getting started with this innovative technique

Vince Power

Contributor

Building SlimToolkit into a Jenkins Pipeline

A step by step tutorial on building SlimToolkit into your CI/CD pipeline.

Clarifying the Complex: Meet Ivan Velichko, Container Dude at Slim.AI

Ivan recently joined the team at Slim.AI, and we sat down with him to learn more about the path that led him here.

Ivan Velichko

Container Dude

Container of the Week: Python & Flask

Our weekly breakdown of a popular container

Containerizing Python Apps for Lambda

A tutorial on deploying AWS Lambda using containers, Python edition.

Docker Containers for Your Raspberry Pi

Compact PCs need compact apps

Martin Wimpress

Community

Explore and Analyze a Docker container with SlimToolkit's X-Ray

Understanding container composition

Martin Wimpress

Community

Five Proven Ways to Debug a Container

When Things Just Are Not Working

Theofanis Despoudis

Contributor

Increasing Your CI/CD Velocity with Slim Containers

We’ll explain what Slim Containers are, how they speed up the build process, and how they can improve the efficiency of your testing.

Mike Mackrory

Contributor

Integrate Testing into Your Container Pipeline

A closer look at testing within container pipelines, CI/CD, software delivery, and containerization.

Faith Kilonzi

Software Engineer

Reducing Docker Image Size - Slimming vs Compressing

Know the difference

Pieter van Noordennen

Growth

Serverless Applications and Docker

How to Scale the Latest Trend in Infrastructure

Pieter van Noordennen

Growth

Slim.AI Docker Extension for Docker Desktop

How to access our Docker Extension and try it for yourself.

Josh Viney

Product

Slimming a Rails Application with SlimToolkit

Dissect a simple Rails application container using SlimToolkit to analyze, optimize, and deploy your product more quickly.

Theofanis Despoudis

Contributor

Where Do You Store Your Container Images?

Container Registry Options are Growing in Number and Complexity

Pieter van Noordennen

Growth

What’s in your container?

Why Docker Layers matter for container optimization

Pieter van Noordennen

Growth

Why Developers Shouldn't Have to Be Infrastructure Experts, Too

Simplifying processes required to containerize and deploy cloud-native apps.

Chris Tozzi

A New Workflow for Cloud Development

Leverage the benefits of containerization without the headaches & hassle

John Amaral

CEO

Why Don’t We Practice Container Best Practices?

Container best practices are easy to understand, hard to do

John Amaral

CEO

Cloud Development Is Still Too Manual & Complex

Lessons we learned from interviewing more than 30 developers

John Amaral

CEO

Getting Started with Multi-Container Apps

Up your container game with Docker Compose

Nicholas Bohorquez

Contributor

The Squeak Interview

CEO John Amaral joins Chris on his livestream