State of the Art of Container Security • Adrian Mouat & Charles Humble

Mar 27, 2026

Adrian Mouat, Developer Relations at Chainguard and author of Using Docker, focuses on container security and minimal distroless images. He discusses why base images go stale and how smaller images reduce risk. He explains building from source with Wolfi, the role and limits of SBOMs and attestations, and practices like immutability, short-lived credentials, and signing for safer supply chains.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

INSIGHT

Build From Source For Provenance

Building packages from source gives provenance and granular control, reducing hidden supply-chain risk.
Adrian Mouat explains Chainguard's Wolfi distribution builds everything from source and uses APKO to assemble minimal APK-based images.

ADVICE

Redeploy Fresh Images Not In-Place Updates

When an image needs updating, redeploy a fresh image rather than running in-place package updates.
Adrian Mouat references Google's practice of regularly replacing services to avoid accumulating outdated libraries and vulnerabilities.

INSIGHT

SBOMs Help Traceability But Need Coverage

SBOMs list software and versions but are limited until industry-wide coverage and tooling improve.
Adrian Mouat says Chainguard generates SBOMs at build time (not after the fact), improving accuracy and traceability for images they produce.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

This interview was recorded for GOTO State of the Art in November 2025.
https://gotopia.tech

Read the full transcription of this interview here:
https://gotopia.tech/articles/425

Adrian Mouat - Developer Relations at Chainguard & Author of 'Using Docker'
Charles Humble - Freelance Techie, Podcaster, Editor, Author & Consultant

RESOURCES
Adrian
https://bsky.app/profile/adrianmouat.com
https://twitter.com/adrianmouat
https://github.com/amouat
https://linkedin.com/in/adrianmouat
http://www.adrianmouat.com

Charles
https://bsky.app/profile/charleshumble.bsky.social
https://linkedin.com/in/charleshumble
https://mastodon.social/@charleshumble
https://conissaunce.com

Links
https://images.chainguard.dev
https://www.cisa.gov/sbom
https://www.chainguard.dev/supply-chain-security-101/the-npm-registry-cant-protect-you-the-new-javascript-supply-chain-attacks
https://oxide-and-friends.transistor.fm/episodes/discovering-the-xz-backdoor-with-andres-freund
https://edu.chainguard.dev

DESCRIPTION
In this State of the Art episode, Charles Humble speaks with Adrian Mouat, Developer Relations at Chainguard and author of "Using Docker", about the evolution of container security and the persistent challenge of outdated packages.

Adrian explains how traditional Linux distributions weren't designed for the immutable, frequently-replaced nature of containers, leading to security vulnerabilities that scanners detect but teams struggle to address. He discusses how Chainguard tackles this problem by building everything from source using Wolfi, creating minimal "distroless" images with near-zero CVEs, and how concepts like SBOMs, attestations, and defense in depth are reshaping security practices.

The conversation also covers major security incidents including the XZ Utils backdoor and Shai-hulud attacks, emphasizing the importance of building from source, using short-lived credentials, and replacing rather than updating containers – practices pioneered by companies like Google that are gradually spreading across the industry.

RECOMMENDED BOOKS
Adrian Mouat • Using Docker • https://amzn.to/3PEYIJL
Liz Rice • Container Security • https://amzn.to/3oU4iJe
Liz Rice • Kubernetes Security • https://www.oreilly.com/library/view/kubernetes-security/9781492039075

Bluesky
Instagram
LinkedIn
Facebook

CHANNEL MEMBERSHIP BONUS
Join this channel to get early access to videos & other perks:
https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/join

Looking for a unique learning experience?
Attend the next GOTO conference near you! Get your ticket: gotopia.tech

SUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted daily!