2026/08/08 –, TR209
Every container you deploy carries debt you didn't write. The average base image ships with 200-400 packages your application never calls, each one a potential CVE, each one expanding the blast radius of a breach. Teams run Trivy or Grype, get a wall of 400 alerts, patch the criticals, suppress the rest, and ship. The scan-patch-suppress cycle creates an illusion of security hygiene while the actual attack surface stays enormous.
The good news: the ecosystem is finally pushing back. Google's distroless project has been around for years, Chainguard built a business on minimal images, and Docker Hardened Images went fully open source under Apache 2.0 in late 2025, putting 1,000+ minimal, SBOM-signed images one pull away from every developer. Yet most teams still default to node:latest.
This talk dissects why container supply chain debt accumulates and what a different default looks like. Through live audits comparing standard, slim, distroless, and hardened base images for the same application, we'll examine size, CVE counts, and actual runtime dependencies. You'll leave with practical patterns: multi-stage builds done right, automated base image rebuild pipelines, and policy-as-code for image provenance, so minimal becomes the default without slowing teams down.
Hrittik is a Platform Advocate at Loft Labs and a CNCF Ambassador, with expertise in cloud native technologies and open source communities. He has contributed extensively to developer advocacy, technical writing, and community engagement. Hrittik has been a featured speaker at events such as Kubernetes Community Days, Open Source Summits, and more, and has served as a Program Committee member for several KubeCons and CloudNativeCons.
Parth Goswami is an open source enthusiast and mostly works with containers and networking. He loves contributing to open source by hosting meetups and interacting with the community.