2022 Public Container Report

Vulnerabilities continue to increase and developers are struggling to keep up.
Ayse Kaya
Oct 25, 2022

This time last year, we dissected the top 100 public containers on Docker Hub and published our inaugural public container report. We were surprised to find that even the most commonly used public containers – which have been pulled in Docker Hub more than five, six, seven billion times — have large numbers of vulnerabilities.

As 2022 has suddenly become the year of software supply chain security, our industry has become more invested in the principal components and contributors in our software systems and the associated ripple effects.

Download the 2022 Slim.AI Public Container Report (PDF).

We conducted further research this year because we wanted to believe that it was possible not only to understand the software that you are shipping to production, but also to take actionable steps to make it secure and easy to work with. Excellent security shouldn’t come as a trade-off for developer experience and productivity.

There are automated and easier ways to keep the software supply chain healthy, and not put the burden entirely on the developers to solve the security problems at hand.

We’ve now published a sequel to our original report—the second annual Slim.AI Public Container Report—and in it we’ve explored the delta on that data set from 2021 to today. Let’s find out if a “zero-vulnerability world” is realistic given the current state of container security.

Here's what we found.

Finding #1: There are more high and critical vulnerabilities than ever across all categories.

The report shares that 60% of top public containers have more vulnerabilities today than we saw a year ago. Although we did see certain incidents resolved, new incidents are detected 4 times faster than our “remediation rate.” Most notably, the issues we resolved were mostly negligible, low-severity vulnerabilities, whereas the new ones we found are mostly critical and high-severity. We saw a 50% increase in high-severity instances, followed by a 10% increase in critical vulnerabilities. Today's average public container has 287 vulnerabilities, 30% of which belong to a high/critical category, up from 20% last year.

Finding #2: Component complexity has risen significantly over the past year.

On average, we detected 13% more packages per container. The average container now has almost 400 packages. Considering that each package may have hundreds of thousands of dependencies, as seen in multiple academic studies, this number is supposed to be the tip of the iceberg. Not only are the package counts that are worrisome, but we also saw 2.5 times more licenses and 4 times more layers on average. Using open-source scanning tools takes almost 2 times longer, resulting in wasted time in our CI/CD systems.

Finding #3: A disconnect was found between executives and front-line engineers on their organization’s software supply chain security efforts.

There was a discrepancy between these roles on how difficult it is to remove vulnerabilities. Among executives, 49% in our survey think containers are slimmed and hardened, but those who do the actual work, the front-line engineers and managers, report significantly lower numbers. Our survey found that 88% of developers admit it is challenging to remove vulnerabilities. Moreover, less than 26% say they understand how to slim and harden containers.

Today, many companies and governments are demanding a world with zero vulnerabilities, but our research reveals just how out of reach that goal is given current awareness, tools and techniques.

Download the full report (PDF).

What’s the methodology?

We have been observing and deconstructing hundreds of thousands of containers since 2020 to understand how they are changing over time. This year’s report was a combined effort between our dissection of thousands of popular containers and a developer survey we conducted with a research firm. The second portion is new this year, we partnered with Dimensional Research on a global study of 300 developers, DevOps practitioners, and engineering executives.

We leveraged a dataset on the world’s public containers that’s been a year-plus in the making, consisting of the analysis from more than 17,000 unique container images. Our initial set of 165 containers was selected based on both quantitative data (i.e., pull volume) and qualitative data (interviews with engineering teams) to best represent current usage in the cloud ecosystem. We examine a combination of base images (including language-specific ones like python:latest) and standalone applications (like grafana).

Only the ‘latest’ tags were included in our analysis, or equivalent for all containers for the sake of comparison. We acknowledge these are often larger and less secure than `alpine` or `slim` alternatives, and that those more minimal images often have a cost in terms of productivity.

Conclusion

If executives are under the impression that their containers are more secure than they actually are in practice and developers are not armed with the additional skill sets to secure the apps they are building, where does that leave us? While reaching a zero-vulnerability environment may not be entirely obtainable, we make significant strides in visibility, tooling and communication to make significant improvements to the current ecosystem.

It’s more important now than ever to know what’s in your software. We are no more secure today than we were this time a year ago. Securing containers for production is not getting easier, yet we are seeing a demand from customers for zero-vulnerability supply chains as a reaction to supply security breaches. As our survey results show, some 70-percent of developers said their customers are demanding that software contain zero vulnerabilities. Yet, only 23-26 percent said they had the skills to slim or harden their containers for production use. This implies skills and a learning gap among developers that may be difficult for organizations to overcome.

A push towards generating SBOMs and scanning containers for vulnerabilities has helped increase awareness, but a larger investment in developer tools is required if we are going to make supply chain security a problem developers can solve. Our team believes in two additional steps to a safer software supply chain – slimming and sharing.

  • Sharing – knowing what to focus on as a developer is important. Cut back on the noise, vulnerability scanners can represent a lot of noise, and knowing what to focus on as a developer is important
  • Slimming – reduce the number of vulnerabilities to only what you need to focus on to make security easier to handle.

The key takeaway? Ship only what you need to production.

Remove all of the fluff and cruft from your containers for a reduced attack surface. We are now more aware of these security issues than ever before. Across the world, there are competent, relentless, brilliant teams losing sleep thinking about these problems and creating solutions for the software ecosystem. For this reason, we’re confident that there will be a much better analysis to share in our future container analysis.

Download the full report (PDF).

Want to discuss these findings with fellow container enthusiasts?

Join us on Discord at: https://discord.gg/uBttmfyYNB.

Related Articles

5 Common Container Exploits

From Malware, to Access Control Risks, and Beyond

Chris Tozzi

Contributor

Container Insights: Dissecting the World's Most Popular Containers

Join Ayse Kaya in this series, as she creates her 2022 Container Report Chalk Full of Important Security Findings for Developers.

Ayse Kaya

Analytics & Strategy

What We Discovered Analyzing the Top 100 Public Container Images

Complexity abounds in modern development

Ayse Kaya

Analytics & Strategy

Five Things You Should Never Ship to Production in a Container

Here is our take on five things to avoid when creating a container or shipping it to production.

Chris Tozzi

The 4th S of Software Supply Chain Security

An approach to Front Line Software Supply Chain Security (SSCS).

John Amaral

CEO

Using AppArmor and SecComp Profiles for Security Audits

Conduct better container security audits using tools like SecComp, NGINX, and Docker.

Better Security Audits with AppArmor and SecComp via DockerSlim

Combine the power of tools like SecComp, NGINX, and Docker.

5 Most Commonly Asked DockerSlim Questions

We enlisted DockerSlim expert and Slim.AI Developer Experience Engineer to dive into how container slimming works.

Primož Ajdišek

Technical Staff

5 Ways Slim Containers Save You Money

Do slim containers really save you money on your cloud bill? Are there cost advantages to smaller containers? Find out here.

Chris Tozzi

Automating DockerSlim in Your CICD Pipeline

Using GitHub Actions, you can refine container images automatically making them smaller, faster to load, and more secure by default – all without sacrificing any capabilities.

Nicolas Bohorquez

Contributor

Building Apps Using Cloud Native Buildpacks

Getting started with this innovative technique

Vince Power

Contributor

Building DockerSlim into a Jenkins Pipeline

A step by step tutorial on building DockerSlim into your CI/CD pipeline.

Clarifying the Complex: Meet Ivan Velichko, Container Dude at Slim.AI

Ivan recently joined the team at Slim.AI, and we sat down with him to learn more about the path that led him here.

Ivan Velichko

Container Dude

Container of the Week: Python & Flask

Our weekly breakdown of a popular container

Containerizing Python Apps for Lambda

A tutorial on deploying AWS Lambda using containers, Python edition.

Docker Containers for Your Raspberry Pi

Compact PCs need compact apps

Martin Wimpress

Community

Explore and analyze a Docker container with DockerSlim X-Ray

Understanding container composition

Martin Wimpress

Community

Five Proven Ways to Debug a Container

When Things Just Are Not Working

Theofanis Despoudis

Contributor

Increasing Your CI/CD Velocity with Slim Containers

We’ll explain what Slim Containers are, how they speed up the build process, and how they can improve the efficiency of your testing.

Mike Mackrory

Contributor

Integrate Testing into Your Container Pipeline

A closer look at testing within container pipelines, CI/CD, software delivery, and containerization.

Faith Kilonzi

Software Engineer

Reducing Docker Image Size - Slimming vs Compressing

Know the difference

Pieter van Noordennen

Growth

Serverless Applications and Docker

How to Scale the Latest Trend in Infrastructure

Pieter van Noordennen

Growth

Slim.AI Docker Extension for Docker Desktop

How to access our Docker Extension and try it for yourself.

Josh Viney

Product

Slimming a Rails Application with DockerSlim

Dissect a simple Rails application container using DockerSlim to analyze, optimize, and deploy your product more quickly.

Theofanis Despoudis

Contributor

Where Do You Store Your Container Images?

Container Registry Options are Growing in Number and Complexity

Pieter van Noordennen

Growth

What’s in your container?

Why Docker Layers matter for container optimization

Pieter van Noordennen

Growth

Why Developers Shouldn't Have to Be Infrastructure Experts, Too

Simplifying processes required to containerize and deploy cloud-native apps.

Chris Tozzi

A New Workflow for Cloud Development

Leverage the benefits of containerization without the headaches & hassle

John Amaral

CEO

Why Don’t We Practice Container Best Practices?

Container best practices are easy to understand, hard to do

John Amaral

CEO

Cloud Development Is Still Too Manual & Complex

Lessons we learned from interviewing more than 30 developers

John Amaral

CEO

Getting Started with Multi-Container Apps

Up your container game with Docker Compose

Nicholas Bohorquez

Contributor

The Squeak Interview

CEO John Amaral joins Chris on his livestream

Meet DockerSlim's Compose Mode

Optimize a multi-tier app with a single command

Ian Juma

Technical Staff