How We Helped Teams Remediate 95% of Container CVEs Without Code Changes

Originally Published on the RapidFort Blog: Reducing Attack Surface Noise with Runtime Intelligence

The Noise Problem: Too Many CVEs, Too Little Context

We’ve seen this across dozens of engineering and security teams:

• Containers are built with multi-stage Dockerfiles

• Slim or minimal base images are used

• Static scanners are embedded in CI/CD

And yet, scan results still flag hundreds of CVEs per container image.

Why? Because traditional scanners surface everything installed in the image — even components the application never uses.

This inflates the CVE count and leads to long patch queues, false positives, and wasted remediation effort.

What’s Actually in Your Container?

Even seemingly minimal base images often include:

• Command-line tools used during build

• Legacy libraries inherited from upstream images

• Package managers and shell utilities not required at runtime

These unused components:

• Expand the software attack surface

• Increase the number of CVEs flagged in scans

• Overcomplicate compliance and audit workflows

This introduces more risk and workload into software that the application doesn’t even use.

The Solution: Runtime-Aware Container Minimization

Instead of optimizing containers based on what’s included, RapidFort asks: What does the container actually execute?

By profiling your container using RapidFort DevTime during test or staging, we determine:

• What binaries are executed

• Which libraries are loaded into memory

• Which packages are untouched during runtime

Then, RapidFort removes everything that wasn’t used — safely, deterministically, and without requiring source code changes. This is software attack surface management (SASM) powered by runtime data.

The Results

With RapidFort DevTime and RunTime hardening, teams achieve:

• Up to 90% reduction in CVE exposure, by removing unused components

• Smaller container images, improving pull times and CI/CD performance

• Fewer false positives in security scans

• Improved compliance readiness, with precise SBOM and RBOM™ documentation

• No code changes, no patch chasing, and no guesswork

This isn’t theoretical. These results come from real-world production workloads hardened through runtime analysis.

Why This Matters

Reducing what’s inside your container:

• Shrinks your attack surface

• Eliminates CVEs from non-executing components

• Gives you security signal that reflects real risk

• Helps you maintain audit-ready documentation aligned to actual usage

Runtime-aware hardening allows security and platform teams to shift from reactive patching to proactive software reduction!

How to Get Started

RapidFort offers two paths:

1. Community Images (GitHub):
Free-to-use, pre-hardened versions of popular open-source containers. These are publicly available on GitHub and optimized using RapidFort’s SASM platform. Ideal for experimentation and staging environments.
GitHub: https://github.com/rapidfort/community-images

2. Near Zero CVE Images (Curated Images):
Enterprise-grade, continuously updated container images with near zero known vulnerabilities, FIPS validation, and STIG/CIS hardening. These are suitable for regulated production workloads: https://hub.rapidfort.com/repositories