Chainguard Finds 98% of Container CVEs Lurking Outside the Top 20 Images

Chainguard Finds 98% of Container CVEs Lurking Outside the Top 20 Images

Briefly

"Chainguard draws on telemetry from 290,000 images and almost half a billion builds to examine how customers actually consume and maintain open source components. It finds that foundational language and infrastructure images such as Python, Node, nginx, Go and Redis dominate production usage, forming what it describes as the baseline stack for the modern AI-driven software ecosystem."

"However, the report warns that this visible layer of popular images is only a small part of the real landscape. The top 20 images account for about 1.37% of Chainguard's catalogued images and roughly half of all container pulls. The other half of production usage comes from 1,436 long-tail images that make up more than 61% of the average customer's manifest. Chainguard stresses that these long-tail images are often core components that are absolutely required for live services and infrastructure, rather than being short-lived experiments."

"The distribution of vulnerabilities is highly skewed toward this long tail. Chainguard reports that only 214 of the CVE instances it remediated in the period, around 2%, occurred in the top 20 images. The remaining 98% (10,785 CVE instances) were in images outside that set. This finding suggests that the worst exposure sits in the parts of the stack where patching and governance are hardest to appl"