How many people do you see setting up a deploy pipeline that includes pulling security updates into the base image and redeploying as needed?
In my experience, it's much more common to see docker images that have been untouched for months with zero accountability of what exactly is running there.
That's my real concern: old, out of date images. How will we handle another OpenSSL-level vulnerability in 7 years, with bad code buried in containers that haven't been updated in 4, and for which the build infrastructure is no longer functional?
This really isn't that different from having some pre-built statically liked app still kicking on your system with the source and/or build tooling long gone.
There aren't really easy answers here. You can't fix bad software with more tooling.
I blame that on docker hub. It's the fault of Docker - the company. They have a security scanning software that they decided was an enterprise feature. This sort of issue is to be expected if you claim that security to be an enterprise feature.
