We Knew Registry Scanning Wasn’t Enough. So We Built What Comes Next.

Let’s cut to the chase: scanning your entire container registry for vulnerabilities is a waste of time, compute, and attention. Most of those images will never be deployed. So why are you treating them like production risks? If you’re serious about improving your security posture, stop scanning everything and focus on what’s actually running.

What’s wrong with scanning everything?

Your registry is full of garbage – dev builds, abandoned tags, outdated versions. Scanning them all floods your system with CVEs that are completely irrelevant. You end up with alerts for vulnerabilities in images no one even remembers creating. Meanwhile, the real risks in your live environments are buried under piles of junk data.

This leads to wasted effort. Your team burns cycles triaging issues that don’t matter instead of fixing what’s actually exposed. And when the next doomsday CVE drops – like log4j, shellshock, or whatever’s next – you’re blind. You don’t have time to sort through irrelevant metadata. You need to know exactly where that vulnerable component is running right now. Registry-wide scanning won’t tell you that. You need fast, focused visibility to act decisively.

But what can I do about it?

You might think the solution is filtering the registry. In a perfect world, where tagging is consistent and naming conventions are strictly followed, you could filter out the noise by focusing on images tagged as prod or release, and even narrow it down to the latest or stable builds. That would at least reduce the surface area.

But here’s the catch: even prod or release tags aren’t enough. Tagging doesn’t tell you which version is running. You might have the newest version tagged correctly, but older versions could still be deployed across environments. The tag alone gives you zero deployment context. It tells you what was intended for production – not what’s actually running there.

This is where filtering breaks down. Registries simply don’t have deployment awareness. And let’s be honest – most registries are chaotic—inconsistent tags, messy naming, mixed environments. You can’t base a security strategy on best-case assumptions that don’t match reality.

So what if you could actually know what’s deployed?

Turns out, you can. Kubernetes already knows what’s live.

It knows which containers are running, where they’re running, and which image digests they came from. That’s your single source of truth.

When you combine Kubernetes runtime data with your registry scan, everything changes. Now you’re not guessing. You’re not relying on tag conventions or stale metadata. You’re scanning the exact set of images that are currently deployed. It’s clean, it’s accurate, and it’s immediately actionable.

The fix: Only scan what’s deployed

At Mend.io, we connect to both your registry and your Kubernetes clusters. Kubernetes gives us a real-time view of what’s actually running. We use that to identify the exact image digests in use, and then scan those images directly from the registry.

No sidecars. No runtime agents. No added cluster load. Just focused scanning of what matters most – the code that’s live in your environment.

How to do it right

Connect your scanner to both your registry and Kubernetes. Use Kubernetes as a live inventory source to identify running images, then trigger scans against those specific digests in the registry. This lets you reduce noise, eliminate wasted effort, and build a policy model around actual deployment visibility – not theoretical intent. Everything else can be deprioritized or scanned in the background when time allows.

Background scanning for hygiene

You still want to catch drift and tech debt eventually. Run full registry scans periodically – weekly, monthly, whatever makes sense. But keep that in the background. It’s not your main signal.

Bottom line

Security should reflect reality. Registry-wide scanning is a feel-good exercise that doesn’t improve your real risk profile. If you want better outcomes, scan where it matters—deployed containers. Kill the noise. Fix what’s real. See what’s actually running and secure it. Check out the Mend Kubernetes integration setup guide.