Conversations with our clients reveal a growing frustration: container images with a high number of known vulnerabilities (CVEs), even when using official and updated versions. The volume is so high that it makes any initiative to manage or mitigate the identified risks nearly impossible.

In the last year, our work with Zora helped expose the scale of the problem. It also made it clear that having visibility is not enough. The difficulties in remediating vulnerabilities are numerous, while the number continues to grow. This scenario reinforces the perception that security management is something distant or almost utopian, exposing companies to even greater risks.

Some of the recurring challenges in our conversations:

• Excessive vulnerabilities, even in official images. In our daily support for Kubernetes, we see this up close. Popular images often carry hundreds of CVEs. While we were writing this article, we checked a widely used Node image and found 1246 vulnerabilities. 

  
  
  

node:latest (debian 12.9)
Total: 1246 (UNKNOWN: 6, LOW: 640, MEDIUM: 491, HIGH: 103, CRITICAL: 6)

• Prioritization helps, but does not solve the problem. Tools like Prisma Cloud and Kubescape classify vulnerabilities and show which ones to address first, but that does not reduce the number of CVEs that teams need to deal with. Even with prioritization, the backlog remains huge.

• Developers are forced to fix vulnerabilities in addition to their core tasks. Shift-left approaches help, but with a high number of issues to resolve, they end up delaying development instead of strengthening security. Another phenomenon we encountered here was approving a deployment even with a critical vulnerability because a certain functionality needed to be delivered.

  
  
  

• Lack of a clear responsibility. In most companies, there is no single team responsible for managing CVEs. Security, DevOps, DevSecOps, and infrastructure share this role, but without defined leadership, many vulnerabilities remain unaddressed.

This reality has led us to rethink how CVE management should function.

Eliminating CVEs at the Source: Our Approach to Vulnerability Management

Instead of creating more tools to detect vulnerabilities, we chose to eliminate them at the source. Our solution has reduced CVE volume by 90%, decreasing the burden on teams and changing perceptions about security and vulnerability management.

Initial tests with companies confirm this impact; they are seeing a drastic reduction in the number of CVEs. Less time spent on triaging and fixing CVEs means fewer delays, faster deliveries, and a security that does not interfere with productivity.

We leveraged lessons learned from Zora and direct feedback from our clients to ensure that this solution addresses not only the technical problem but also the operational challenges that lead to vulnerability management being viewed as a waste of time and resources.

Core Principles in Our Approach

• Noise Reduction: Instead of overwhelming teams with alerts, we eliminate vulnerabilities before they reach your environment.

• Simplified Remediation: CVE management is a repetitive and constant task. Our solution automates updates and fixes, reducing manual effort and ensuring that issues are resolved without interrupting development.

• Proactive Security: We prevent vulnerabilities from reaching production, instead of reacting once they are already in the environment. This reduces risks, keeps workflows organized, and avoids unnecessary interruptions.

Challenge Accepted? Join Us

We are not sharing all the details yet, but at Getup, we have taken on the challenge of CVE management and created a solution based on the real challenges we hear from teams like yours. If CVE management is consuming your team's time, we want to hear your feedback. If your company has not yet defined a process for CVE management, we also want to hear from you and help you take this important step. 

We have launched an initial version of our solution, which is running with selected companies. Now, we are expanding access through our Early Access Program.

In the program, you gain:

• Access to the solution before the official launch.

• Influence the product with feedback based on your usage.

• Direct support from our engineering team. 

If CVE management in container images is a problem for your team, [sign up here] to participate in the program and see how we are making security simpler and more effective.