Organizations today are shipping code faster than ever, but speed often masks a critical vulnerability. Many engineering teams mistakenly believe their applications are secure simply because their standard AppSec tools gave them a green light. In reality, they are blindly shipping unpatched, operating system-level vulnerabilities hidden deep inside their containers.
We recently hosted Eva Sarafianou, Senior Engineering Lead of Product Security & Release at Mattermost, and Chadd Owen, Solutions Architect at Anchore. The 60-minute discussion covered exactly how Mattermost successfully transformed its fragmented, manual scanning process into an automated, closed-loop security flywheel.
TL;DR: Traditional SCA tools miss critical infrastructure layer threats wrapped inside container images, making automated, closed-loop container scanning an absolute baseline requirement for modern DevSecOps. Watch the webinar >
Knowing what’s in your container isn’t enough. Learn how Mattermost turns visibility into automated, actionable security at scale with Anchore Enterprise.
Not ready to commit to a full webinar? Keep reading to get a taste for the discussion and how it will change your perspective on securing your software supply chain.
Don’t forget the OS in your containers
Developers frequently treat containers like standard binaries, focusing solely on the security of their application code and first-order dependencies. However, pulling a base image to build an application actually pulls in a sprawling tree of system libraries, package managers, and utilities.
“With containers, you aren’t only shipping an app. You’re shipping an entire OS. SCA’s don’t have OS vulnerability visibility.”
—Eva Sarafianou, Senior Engineering Lead of Product Security & Release, Mattermost
Relying exclusively on standard software composition analysis (SCA) tools leaves massive blind spots in your infrastructure. Security teams need purpose-built container visibility to catch and remediate these underlying operating system-level threats before they ever reach a production environment.
A security flywheel for vulnerabilities
Manual security processes create disconnected silos. For example, requiring security professionals to pull images locally to run CLI scanners. These manual audits force teams into a firefighting posture that completely bottlenecks high-velocity CI/CD pipelines.
“Anchore Enterprise finds vulnerabilities, creates tickets, coordinates vulnerability fixes, and scans again. The great thing is that it creates an automated loop.”
—Eva Sarafianou, Senior Engineering Lead of Product Security & Release, Mattermost
Integrating native scanning directly into your deployment pipelines (like GitHub Actions) fundamentally transforms development workflows. By automating the entire discovery-to-ticketing cycle, organizations can turn security from a disruptive, manual roadblock into an invisible guardrail that accelerates delivery.
Start safe, stay secure
Implementing a continuous scanning is vital, but shrinking the attack surface at its origin acts as a massive force multiplier. Full Linux distributions carry hundreds of vulnerabilities out of the box, before a single line of proprietary code is even written.
“With Anchore Enterprise and distroless images, we’re not just scanning better…we are starting from a cleaner foundation.”
—Eva Sarafianou, Senior Engineering Lead of Product Security & Release, Mattermost
Swapping to minimal, “distroless” base images removes unnecessary shells and package managers that applications don’t actually need to run. This architectural shift inherently neutralizes entire classes of security threats and drastically reduces the baseline vulnerability count, making continuous monitoring far more precise.
Better data == less noise
Alert fatigue is the primary enemy of DevSecOps adoption. Legacy scanners often guess what software is installed based solely on package manager manifests, which routinely buries engineers under an avalanche of false positives and degrades trust in the security pipeline.
“At Anchore, we don’t make assumptions. We look at what’s on disk, what’s in the file system. This result is extremely accurate data.”
—Chadd Owen, Solutions Architect, Anchore
Deterministic, on-disk file scanning provides actionable intelligence rather than noise. By eliminating assumptions and looking at exactly what is compiled within the image, teams can drastically improve scan accuracy. This precision restores developer time, allowing engineers to focus exclusively on true positive vulnerabilities that represent genuine risk.
What Else You’ll Discover in the Full Webinar
This container security evolution represents just one thread in a comprehensive discussion that tackles the most pressing operational challenges facing DevSecOps teams today.
The panelists also explore:
- The Distroless Transition Barrier: How to ensure necessary system libraries are properly ported over when migrating to distroless images so application functionality doesn’t break.
- Policy-as-Code Enforcement: The exact CLI commands used to automatically halt a CI/CD pipeline if non-compliant images violate NIST 800-53 regulatory standards.
- Managing the Exceptions: How to implement automated allow-lists to safely manage temporary, business-critical exceptions without disrupting high-velocity deployments.
Watch the full webinar on-demand here to access all 60 minutes of expert insights, technical demonstrations, and audience Q&A.
The Bottom Line
Manual, fragmented vulnerability scanning is no longer a viable strategy for organizations shipping mission-critical software.
The technical demonstrations and strategic insights in this webinar show exactly how automated container scanning and minimal base images transform security operations from reactive firefighting into strategic threat management.
Ready to see the difference?
- 👉 Watch the full webinar on-demand
- Follow Anchore on LinkedIn for DevSecOps best practices.
- Subscribe to our newsletter for exclusive insights into software supply chain security.
Knowing what’s in your container isn’t enough. Learn how Mattermost turns visibility into automated, actionable security at scale with Anchore Enterprise.
