In 2025, containers are everywhere, powering CI/CD pipelines, supporting cloud-native development, and driving faster software delivery. Yet for many DevOps and security teams, container adoption has come with a familiar problem: a flood of CVEs.

According to industry reports, over 90% of organizations now use or are evaluating containers in their production environments. But many of those containers are built on public base images that contain outdated dependencies, misconfigurations, and unpatched CVEs. According to a recent report, 87% of containers in production include high or critical CVEs. The result? Teams spend more time reacting to scanner alerts than building software.

Why Container Security Matters

Container security is a combination of minimization and hardening, with the end goal being a reduced attack surface. The concept is simple: if it’s not there, there can be no exploitation. However, manually stripping back images, auditing dependencies, and applying secure defaults quickly becomes complex at scale. According to ActiveState’s 2026 State of Vulnerability Management and Remediation Report: Container Security Edition, 82% of survey respondents admit they’ve likely suffered at least one container-related security breach in the past 12 months.

That’s where ActiveState Secure Containers redefine best practices. Instead of merely patching vulnerabilities as they appear, ActiveState employs a rigorous four-step assembly process to secure containers from the ground up:

Securing the Base: Instead of relying on bloated general-purpose Linux distributions, ActiveState uses a custom “distroless” base image. This foundation contains only the essential runtime dependencies, deliberately excluding standard components like package managers, shells, and debugging tools that often serve as attack vectors.

Building from Source: ActiveState takes container hardening a step further by building every component from source code. This eliminates the blind trust in third-party binaries and ensures each dependency is verified and attested. 

Configuration & Assembly: Images are further optimized by stripping unnecessary files, documentation, and debug symbols to ensure the smallest and most secure footprint possible.

Testing & Distribution: Before publication, every image is put through an automated pipeline to perform a variety of checks and functions. This includes SCA scanning with tools like Trivy, Grype, or any number of commercial scanners for remaining vulnerabilities, image size, cryptographic signing for verification, and the generation of a detailed build-time SBOM to ensure audit readiness and compliance.

Automation That Scales Security

Hardening is only half the battle; maintenance is the other. ActiveState’s images are rebuilt nightly and bound by strict remediation SLAs:

  • 5 business days for critical CVEs
  • 10 days for highs
  • 30 days for all others

That means DevSecOps teams can integrate hardened containers into their CI/CD pipelines and trust that what they deploy remains vulnerability-free without manual patching or dependency guesswork.

The Bottom Line

Container security isn’t a one-time task; it’s a continuous discipline. ActiveState helps teams transition from reactive patching to proactive prevention, securing containers from the ground up.

Why Choose ActiveState?

For overworked DevSecOps teams, ActiveState provides a fully automated security layer as a managed service. We alleviate the immense overhead of building, maintaining, and certifying containers by managing the entire process—from source-built components (over 40 million) to guaranteed rapid remediation SLAs. For businesses in regulated sectors such as finance and healthcare, this proactive security is a critical risk mitigation strategy that can save hundreds of millions of dollars in regulatory fines and post-breach remediation costs.

Download the complete ActiveState Container Hardening Guide to learn how to integrate these best practices into your workflow.

Frequently Asked Questions (FAQs)


What are the most common container security risks?

Beyond standard misconfigurations, the most critical risks include:
* Vulnerable Open Source Dependencies: Over 90% of containers use public base images that often contain outdated or unpatched packages.
* Supply Chain Attacks: Using pre-compiled binaries from public repositories can introduce malware or “typo-squatted” packages.
* Bloated Images: General-purpose Linux distributions include shells, package managers, and debugging tools that serve as unnecessary attack vectors.
* Remediation Lag: The “Remediation Gap” occurs when teams detect vulnerabilities but lack the bandwidth to fix them before they are exploited in production.

How often should container images be scanned?

While many teams scan only at build time, container security must be a continuous discipline. New CVEs are discovered daily, making yesterday’s “clean” image today’s risk.

ActiveState Best Practice: ActiveState recommends nightly rebuilds and scans.

Can container scanning be automated in CI/CD?

Yes, and it is a fundamental part of a “Shift Left” strategy.

The ActiveState Approach: Instead of just flagging issues for developers to fix (which creates friction), ActiveState integrates into CI/CD pipelines to provide automated remediation. By pulling from a secure, curated catalog, your pipeline doesn’t just scan for problems—it pulls images that are already remediated and verified with a build-time SBOM (Software Bill of Materials).

What’s the difference between static and runtime container security?

Static Security: This happens before deployment (e.g., SCA scanning of code and images). It identifies known vulnerabilities (CVEs) in your dependencies and ensures the build is signed and untampered.

Runtime Security: This focuses on the container while it is running. It monitors for behavioral anomalies, such as unauthorized network connections or privilege escalation.

ActiveState Synergy: ActiveState strengthens runtime security by providing “distroless” images. By stripping out shells and package managers during the static build phase, you effectively eliminate the tools an attacker would need to execute a runtime exploit.

How do I choose a container scanning tool?

When evaluating tools, look beyond simple “detection.” A high-quality tool should provide:
1. Low False Positives: Use VEX (Vulnerability Exploitability eXchange) advisories to filter out non-exploitable noise.
2. Transitive Dependency Visibility: The ability to see deep into the “dependency hell” of sub-packages.
3. Remediation Path: Does the tool just give you a list of problems, or does it provide the fixed artifact? ActiveState’s Precision Remediation Pipeline is designed to provide the latter, giving you a 5-day SLA for critical CVEs.

Is Kubernetes secure by default?

No. While Kubernetes provides powerful orchestration, it introduces a layer of abstraction that can hide security blind spots. Default settings often allow broad permissions that attackers can exploit.

ActiveState Insight: Security in Kubernetes requires a “Secure by Design” foundation. Starting with hardened, minimal base images (like those in the ActiveState Container Catalog) ensures that the workloads you orchestrate have the smallest possible attack surface from the moment they are deployed.

What are best practices for securing production containers?

* Use Distroless Foundations: Remove everything not required for the app to run (no shells, no SSH).

* Build from Source: Avoid pre-compiled binaries to ensure provenance and eliminate hidden malware.

* Enforce Policy-Gated Pipelines: Automatically block any image that does not meet security benchmarks (e.g., no critical CVEs).

* Continuous Maintenance: Rely on automated rebuilds and signed SBOMs to ensure that production environments remain identical to tested staging environments and are always patched against the latest threats.