The image part of docker is basically bundling application with its dependencies.
Personally I've rarely seen applications doing that properly. For example, I've seen many Java J2E .war web applications with half the libraries being 5 to 10 years old. I've also seen it in "binary" applications, like AV software, bundling old libxml or old OpenSSL version.
Classic distributions like Debian or RHEL spend a huge amount of time tracking security alerts, patching and putting in place update and notification mechanisms. And it's not an easy task.
Docker permits developers to easily control what they ship, specially the dependencies (the "great power" part), however, bundling your dependencies means you have to track them properly, update them regularly and monitor security issues in them (the "great responsibility" part).
The tooling and workflows to do the second part is still in its infancy. It's far better than one or two years ago but it still needs a huge amount of work.
By the way, the tool used for security scanning seems to only scan deb or rpm packages. It doesn't seem to handle components installed through language specific package manager like pip or npm, or manually installed libraries (plain old ./configure && make && make install). The actual picture may be even darker...
The image part of docker is basically bundling application with its dependencies.
Personally I've rarely seen applications doing that properly. For example, I've seen many Java J2E .war web applications with half the libraries being 5 to 10 years old. I've also seen it in "binary" applications, like AV software, bundling old libxml or old OpenSSL version.
Classic distributions like Debian or RHEL spend a huge amount of time tracking security alerts, patching and putting in place update and notification mechanisms. And it's not an easy task.
Docker permits developers to easily control what they ship, specially the dependencies (the "great power" part), however, bundling your dependencies means you have to track them properly, update them regularly and monitor security issues in them (the "great responsibility" part).
The tooling and workflows to do the second part is still in its infancy. It's far better than one or two years ago but it still needs a huge amount of work.
By the way, the tool used for security scanning seems to only scan deb or rpm packages. It doesn't seem to handle components installed through language specific package manager like pip or npm, or manually installed libraries (plain old ./configure && make && make install). The actual picture may be even darker...