The baseimage Blog
Insights on container security, CI/CD pipelines, and the future of DevSecOps.

Hardening
Jul 9, 2026
Hardening Grafana: −68% CVEs, the Rest Proven Unreachable
How we cut grafana/grafana:13.0.3 from 54 CVEs to 17: 37 physically removed, 17 proven unreachable with linkage analysis, call graphs and runtime checks. With the Dockerfile, reproduction commands — plus a free hardening playbook you can hand to your AI agent.
14 min read
Read
DevSecOps
Apr 6, 2026
Docker Image Vulnerability Scanning: Cut 300+ CVEs Down to What Actually Matters
A scanner returns 300+ CVEs. Most are noise — but not all. We break down a systematic approach: enrich with EPSS and CISA KEV, classify by runtime context, and reduce alert fatigue by up to 70%.
9 min read
Read