Container security incidents are becoming a routine reality for software teams, and the tools meant to protect them may be making the problem worse. That is the central finding of a new survey from BellSoft, which reveals that nearly one in four developers has already experienced a container-related security incident, while many organizations continue to rely on practices that expand their attack surface instead of reducing it.
The survey, conducted among 427 developers, found that 23% have encountered a container security breach. BellSoft notes that the most dangerous phase often comes after vulnerabilities are disclosed but before they are fixed, a window that can last weeks or months while exposed systems remain in production. Despite improvements in container platforms over the last decade, the study suggests that security fundamentals are still poorly understood and inconsistently applied.
At the core of the problem is a mix of human error, legacy habits, and overly complex tooling. Sixty-two percent of respondents said human mistakes were the biggest contributor to container security issues. Many developers still favor convenience over minimalism: 54% consider shells essential inside base images, and 39% rely on package managers. While helpful during development, these tools significantly increase the attack surface in production by enabling unnecessary components and runtime changes.
More than half of respondents (55%) said they use general-purpose Linux distributions such as Ubuntu, Debian, or Red Hat-based images that contain hundreds of unused packages. Each of those packages represents a potential vulnerability that must be tracked, assessed, and patched—regardless of whether the application ever touches it. When flaws are discovered, security teams must coordinate remediation across thousands of containers, even when the risk is largely theoretical.
Most teams rely on reactive defenses rather than preventative design. The most common safeguards reported were trusted registries (45%) and vulnerability scanning (43%), which BellSoft characterizes as basic measures that respond to threats rather than minimizing them upfront. Patch cadence also remains inconsistent: while 31% update images with every release and 26% act when critical vulnerabilities appear, a full 33% update monthly, rarely, or only a few times a year, leaving long windows of exposure.
Despite these challenges, developers appear to recognize a better path forward. Nearly 48% said that pre-hardened, security-focused base images would be the most helpful improvement to container security. Such images remove unnecessary tools and packages by default, reducing vulnerabilities and shifting ongoing maintenance and patching responsibilities to specialized vendors.
“Across every section of the survey, one message repeats consistently: teams want security, efficiency, and simplicity, but their current strategies and tooling make this difficult to achieve,” said Alex Belokrylov, CEO of BellSoft. “By adopting hardened images, much of the ongoing security and maintenance responsibility shifts to the image vendor, reducing operational burden and total cost of ownership, while enabling more stable, low-maintenance, and highly secure container environments.”
BellSoft’s findings suggest that as container usage continues to grow, organizations must rethink not just how they detect vulnerabilities, but how they design their container foundations, moving from reactive patching to proactive, minimal, and hardened runtime environments.
