You Didn’t Create That CVE — But You’re Shipping It

Mandy Hubbard

Friday 24 October 2025 from 17:00 to 17:50

Talk in English - US at Longhorn PHP 2025
Track Name: Hill Country D
Short URL: https://joind.in/talk/1b98e (QR-Code (opens in new window))

Avg. Rating

Every container starts with a FROM line, but how often do you really think about what you’re inheriting?

Popular base images come loaded with hundreds of packages, bringing along complexity, vulnerabilities, and compliance headaches you didn’t ask for. In this session, we’ll take a closer look at what’s hiding inside widely used images, and how those dependencies quietly introduce risk into even well-maintained applications.

You’ll learn how adopting minimal, verifiable, and low-to-zero CVE images can reduce your security surface and streamline compliance workflows without changing how you build.

Through live demos, we'll explore what happens when you:

* Scan popular images with Grype
* Try using weak crypto in a FIPS-compliant container
* Swap your base image without breaking your build

Whether you’re chasing FedRAMP, tuning your CI/CD pipeline, or just tired of the patch-and-scan grind, this talk will help you modernize your container strategy without disrupting your workflow.

Comments

Please login to leave a comment

Derak at 14:49 on 27 Oct 2025

Didn't know this was a thing developers needed to worry about.
This was very informative and will look into using grype and chainguard.

Definitely look into more php specific use-case of this when presenting at a php conference. Our toolchain requires the build tools to be installed to compile custom modules for our runtime or be pre-compiled binaries in a package repo. (RPM,APT, et)

Jamison Bryant at 08:16 on 30 Oct 2025

We just got done tuning our base Docker images and CI/CD pipelines in an effort to shrink deployment times. With Chainguard images being so small (AKA small number of layers) I bet deployments are super quick. I'd be curious to try this out on our test ECS setup.

My one concern is that if you switch to CG images and make them a dependency, if it later on doesn't work out (cost, technical difficulty) then you have to get BACK into bed with CVE-riddled images. That is a scary thought, right?