From Base Images to Runtime Factories: Eliminating SCA Noise with Event-Driven Rebuilds

Most “secure” container pipelines are doing unnecessary work. They rebuild images every night. They rescan the same vulnerabilities. They ignore half the findings. And none of it reduces real risk. Worse, it creates the wrong incentives. Teams spend time silencing scanners instead of reducing attack surface. Developers learn to ignore security signals entirely. The real problem isn’t finding vulnerabilities. It’s knowing which ones actually matter. (This is the same problem we see in SAST—detecting vulnerable code is easy; proving it’s reachable is the hard part.) When scanners flag CVEs in code paths your application never executes, the signal breaks. So we changed the model entirely. We stopped rebuilding containers on a schedule. Instead, we replaced base images with a Runtime Factory built on three constraints: Minimal OS surface (Wolfi) Declarative compilation (apko) Event-driven rebuilds (Rebuild only when risk changes) Here’s how the model works. 1. Event-Driven Self-Healing (Th