Many teams now treat container vulnerability scanners as a security gate: if the report is green, the release goes out.

This workshop explores what happens when container images are deliberately constructed to fool vulnerability scanners. By manipulating how packages, libraries, and file systems are represented in container images, it is possible to make thousands of real, exploitable vulnerabilities “disappear” from popular scanning tools while leaving the vulnerable code fully present and usable at runtime.

What will be covered:

• How modern container scanners actually work under the hood (OS/package metadata, filesystem walks, SBOM heuristics, language-specific manifests, etc.).
• A number of techniques for hiding vulnerable code from those scanners without patching anything, including:
  • Breaking the link between vulnerable libraries and package metadata.
  • Restructuring images and layers so scanners misclassify or ignore key files.
  • Using unconventional runtime layouts that runtime environments happily consume but scanners don’t fully understand.

No vendor-bashing, no product pitches, and no zero-day disclosures. This talk is an honest look at where our current container vulnerability tooling falls short, and what we can do about it before adversaries fully exploit these blind spots.