In containerized environments images are constantly added to the central registry or hub and containers running the images are spun up and taken down. Amplifying the scale of the problem is the relative ease with which images based on open source builds can be generated from Dockerfiles, for example, and especially as more ‘layers’ incorporated in the image. The more layers that are incorporated in the image build to speed up deployment, the greater the risk that a software component, including open source components, will find its way into production without being scanned, validated and patched if needed.
Unless the process of scanning images before they are even uploaded to registries is tightly managed, as opposed to the traditional approach of periodic scans, the door is opened to propagation of vulnerabilities.