The company’s 2026 State of Vulnerability Management & Remediation Report reveals the tension between the strategic intent and operational reality of open source in enterprise software development
ActiveState, a global leader in open source language solutions and secure software supply chain management, todayย announced the release of its 2026 State of Vulnerability Management and Remediation Report. This year’s report, the “Container Security Edition,” surveyed 250 DevSecOps leaders across North America to uncover the critical security paradox facing modern enterprises: while container adoption has become universal, the maturity of security and compliance programs has failed to keep pace, leaving production environments vulnerable to attack.
Also Read:ย CIO Influence Interview with Duncan Greatwood, CEO at Xage Security
The report highlights a startling disconnect between strategic intent and operational reality. According to survey respondents, while 100% of organizations report containerization as critical to their production strategy, 82% admit they’ve likely suffered at least one container-related security breach in the past 12 months. This widespread exposure is having tangible business impacts, with the data revealing that 78% of organizations have likely failed a compliance audit due to Common Vulnerabilities and Exposures (CVEs) present in their container images.
“The findings in our 2026 report serve as a stark wake-up call for enterprises relying on open source software and containers to drive their innovation,” said Stephen Baker, CEO of ActiveState. “We are seeing a massive gap between the ‘intent’ to secure the software supply chain and the ‘reality’ of daily development practices. When nearly every organization considers containers critical yet the vast majority are failing audits and suffering breaches, it’s clear that manual curation and traditional ‘golden images’ are no longer scaling. To protect the software development lifecycle, leaders must move toward automated, policy-enforced runtimes that remove the burden of remediation from their developers.”
The report delves deeper into the root causes of these security failures, identifying a “trust vs. practice” gap. Although 77% of DevSecOps leaders trust curated catalogs more than public registries, 90% still use lightly modified public images with little to no hardening. This reliance on public registries introduces significant risk, as unmonitored and outdated base images remain a primary vector for supply chain attacks and compliance violations.
DevSecOps leaders, security professionals, and engineering managers can download the fullย 2026 State of Vulnerability Management and Remediation Reportย to access complete data on container security trends, the impact of AI on remediation, and strategies for closing the compliance gap.
Catch more CIO Insights:ย Why Todayโs Web Agent Benchmarks Donโt Reflect Real-World Reliability
[To share your insights with us, please write toย psen@itechseries.comย ]
