If you are working with containers, you want to make sure they don't contain no software with known CVEs. You don't want your image scanner to have blind spots and lull you into a false sense of security.
Well, that's exactly what happens if you
- Use clair scan with something like distroless (no results at all)
- Use trivy or grype with software installed without package manager (via tar) e.g. eclipse-temurin in the alpine version. The java executable gets unpacked into /opt but is not recognized.
https://github.com/aquasecurity/trivy/issues/2098
https://github.com/anchore/syft/issues/994