The State of Trusted Open Source: Are We Actually Patching?
Has anyone had a chance to look at the latest 'State of Trusted Open Source' report? The data from late 2025 regarding our consumption patterns is pretty sobering. It seems we're getting better at identifying vulnerabilities in our container images and language libraries, but the remediation times are still lagging significantly behind deployment speeds.
The report highlights a massive disconnect: teams are pulling updates faster than ever, but they're dragging legacy vulnerabilities along with them. It's less about zero-days and more about the 'known unknowns' sitting in our base images.
I’ve been pushing our devs to adopt more granular SBOM generation. If you don't know what's inside the image, you can't secure it. Here’s a quick Syft command I recommend for generating an SBOM before you even scan for issues:
syft alpine:latest -o spdx- > alpine-sbom.
Once you have that, you can feed it into Grype to check against the vulnerability DB mentioned in the report:
grype alpine-sbom. --fail-on high
The report suggests that a lot of these supply chain exploits could be mitigated just by blocking builds with High/Critical scores in the CI/CD pipeline. How are you guys enforcing this? Are you actually blocking builds, or is it just a warning log that everyone ignores?
From a SOC perspective, the lack of SBOMs makes incident response a nightmare. When a new CVE drops (like that recent one in a popular logging library), we're blind if we don't know who imported it. We've started ingesting Grype scan results into our SIEM so we can correlate running containers with known vulnerability signatures. I highly recommend tagging your images with the git commit hash so you can trace the lineage.
Don't forget that scanning the image isn't enough. The report mentions runtime behavior. I've seen plenty of 'clean' images that download malicious payloads at runtime because the base image has curl installed and the entrypoint script is shady. Always verify the integrity of the image signatures using cosign before pulling:
cosign verify --key cosign.pub registry.example.com/my-image:latest
To bridge that remediation gap, you have to stop relying on manual reviews. We’ve shifted to enforcing policies at the CI/CD gate rather than just monitoring. If a build contains a critical CVE, the pipeline rejects it immediately. Using a tool like Trivy in the pipeline helps enforce this:
trivy image --exit-code 1 --severity CRITICAL my-image:latest
It forces the conversation to happen before the artifact is even created, rather than scrambling to patch a live legacy container.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access