ActiveState Survey Finds Container Security Gaps Expose Enterprises to Breach and Audit Risks

The company’s 2026 State of Vulnerability Management & Remediation Report reveals the tension between the strategic intent and operational reality of open source in enterprise software development

VANCOUVER, BC – [January 6. 2026] – ActiveState, a global leader in open source language solutions and secure software supply chain management, today announced the release of its 2026 State of Vulnerability Management and Remediation Report. This year’s report, the “Container Security Edition,” surveyed 250 DevSecOps leaders across North America to uncover the critical security paradox facing modern enterprises: while container adoption has become universal, the maturity of security and compliance programs has failed to keep pace, leaving production environments vulnerable to attack.

The report highlights a startling disconnect between strategic intent and operational reality. According to survey respondents, while 100% of organizations report containerization as critical to their production strategy, 82% admit they’ve likely suffered at least one container-related security breach in the past 12 months. This widespread exposure is having tangible business impacts, with the data revealing that 78% of organizations have likely failed a compliance audit due to Common Vulnerabilities and Exposures (CVEs) present in their container images.

“The findings in our 2026 report serve as a stark wake-up call for enterprises relying on open source software and containers to drive their innovation,” said Stephen Baker, CEO of ActiveState. “We are seeing a massive gap between the ‘intent’ to secure the software supply chain and the ‘reality’ of daily development practices. When nearly every organization considers containers critical yet the vast majority are failing audits and suffering breaches, it’s clear that manual curation and traditional ‘golden images’ are no longer scaling. To protect the software development lifecycle, leaders must move toward automated, policy-enforced runtimes that remove the burden of remediation from their developers.”

The report delves deeper into the root causes of these security failures, identifying a “trust vs. practice” gap. Although 77% of DevSecOps leaders trust curated catalogs more than public registries, 90% still use lightly modified public images with little to no hardening. This reliance on public registries introduces significant risk, as unmonitored and outdated base images remain a primary vector for supply chain attacks and compliance violations.

DevSecOps leaders, security professionals, and engineering managers can download the full 2026 State of Vulnerability Management and Remediation Report to access complete data on container security trends, the impact of AI on remediation, and strategies for closing the compliance gap. The full report is available on the ActiveState website.

About ActiveState

ActiveState enables DevSecOps teams to improve their security posture while simultaneously increasing productivity and innovation to deliver secure applications faster. The company provides a curated catalog of more than 40 million secure open source components and container images that can be consumed via artifact repository, CI/CD, IDE, or directly from ActiveState. ActiveState continuously monitors and updates the open source components to help keep companies vulnerability free. Companies using ActiveState see a 60-99% reduction in CVEs, improving their security posture, and save as much as 30% of developer time, eliminating the engineering toil typically associated with using open source in commercial applications. Learn more at www.activestate.com.