These Are NOT the Vulnerabilities You Are Looking For: Hiding Vulnerabilities in Containers
Kyle Quest
BSides Seattle 2026 · Day 2 · Track 1
Kyle Quest, creator of the popular open-source tool **DockerSlim** (now called **MinToolkit**), demonstrates how container vulnerability scanners can be trivially deceived by removing or mutating the metadata they depend on -- reducing a container with 9,000 vulnerabilities to zero reported findings while leaving every vulnerability fully exploitable. The talk exposes a fundamental weakness in how the entire container security scanning ecosystem operates.
AI review
A devastatingly effective demonstration of a systemic weakness across the entire container vulnerability scanning ecosystem. Quest proves that removing three categories of metadata files blinds every major scanner -- Grype, Trivy, Snyk, Docker Scout, and OCI Scanner -- reducing 9,000 vulnerabilities to zero while leaving them fully exploitable. The live exploitation of a command injection in the 'clean' image is the perfect exclamation point.