How We Helped Teams Remediate 95% of Container CVEs Without Code Changes

Sophia — Thu, 05 Jun 2025 17:09:48 +0000

Originally Published on the RapidFort Blog: Reducing Attack Surface Noise with Runtime Intelligence

The Noise Problem: Too Many CVEs, Too Little Context

We’ve seen this across dozens of engineering and security teams:

Containers are built with multi-stage Dockerfiles
Slim or minimal base images are used
Static scanners are embedded in CI/CD

And yet, scan results still flag hundreds of CVEs per container image.

Why? Because traditional scanners surface everything installed in the image — even components the application never uses.

This inflates the CVE count and leads to long patch queues, false positives, and wasted remediation effort.

What’s Actually in Your Container?

Even seemingly minimal base images often include:

Command-line tools used during build
Legacy libraries inherited from upstream images
Package managers and shell utilities not required at runtime

These unused components:

Expand the software attack surface
Increase the number of CVEs flagged in scans
Overcomplicate compliance and audit workflows

This introduces more risk and workload into software that the application doesn’t even use.

The Solution: Runtime-Aware Container Minimization

Instead of optimizing containers based on what’s included, RapidFort asks: What does the container actually execute?

By profiling your container using RapidFort DevTime during test or staging, we determine:

What binaries are executed
Which libraries are loaded into memory
Which packages are untouched during runtime

Then, RapidFort removes everything that wasn’t used — safely, deterministically, and without requiring source code changes. This is software attack surface management (SASM) powered by runtime data.

The Results

With RapidFort DevTime and RunTime hardening, teams achieve:

Up to 90% reduction in CVE exposure, by removing unused components
Smaller container images, improving pull times and CI/CD performance
Fewer false positives in security scans
Improved compliance readiness, with precise SBOM and RBOM™ documentation
No code changes, no patch chasing, and no guesswork

This isn’t theoretical. These results come from real-world production workloads hardened through runtime analysis.

Why This Matters

Reducing what’s inside your container:

Shrinks your attack surface
Eliminates CVEs from non-executing components
Gives you security signal that reflects real risk
Helps you maintain audit-ready documentation aligned to actual usage

Runtime-aware hardening allows security and platform teams to shift from reactive patching to proactive software reduction!

How to Get Started

RapidFort offers two paths:

1. Community Images (GitHub):
Free-to-use, pre-hardened versions of popular open-source containers. These are publicly available on GitHub and optimized using RapidFort’s SASM platform. Ideal for experimentation and staging environments.
GitHub: https://github.com/rapidfort/community-images

2. Near Zero CVE Images (Curated Images):
Enterprise-grade, continuously updated container images with near zero known vulnerabilities, FIPS validation, and STIG/CIS hardening. These are suitable for regulated production workloads: https://hub.rapidfort.com/repositories