The acceleration of software development through Continuous Integration and Continuous Deployment (CI/CD) pipelines has profoundly reshaped the way modern applications are built, tested, and delivered. These practices enable rapid iteration, frequent releases, and faster innovation—but they also introduce new security risks [ 1–4 ]. In environments where container images are rebuilt and deployed multiple times a day, even a small vulnerability can rapidly propagate into production unless adequate controls are in place [ 5, 6 ].

In response to these concerns, the DevSecOps paradigm promotes the integration of security measures directly into the development pipeline [ 7 ]. Rather than applying security as a final checkpoint, DevSecOps encourages embedding tools for static and dynamic analysis early and continuously. Open-source scanners such as Trivy [ 8 ], Grype [ 9 ], and Semgrep make it possible to detect vulnerabilities in codebases, dependencies, and container images as part of the automated build process [ 10 ].

However, despite the availability of these tools, most scanning implementations operate in a point-in-time fashion: a vulnerability is detected, an alert is issued, and developers either fix it or suppress it. There is rarely any mechanism to retain and analyze scan data across builds, nor to assess whether the overall security posture is improving or regressing over time. This temporal blindness creates a missed opportunity for strategic decision-making, especially in long-running projects with frequent deployments and changing dependencies [ 11 ].

In real-world development, the security profile of an application evolves continuously. Base images are patched (or go unpatched), third-party libraries are updated, and insecure patterns may be introduced or removed. Without visibility into these changes, teams are forced to react to each issue in isolation, with no sense of whether their system is becoming more secure or accumulating technical security debt [ 12 ].

In this paper, we propose a lightweight, fully open-source approach for security regression tracking in containerized applications. Using Trivy by Aqua Security [ 8 ], we integrate vulnerability scanning directly into the CI/CD pipeline via GitHub Actions [ 13 ]. Each scan extracts severity-level vulnerability counts (Critical, High, Medium, Low), which are appended to a time-series CSV log. This data is then rendered using a web-based dashboard (Chart.js) that visualizes how vulnerability levels change across builds.

Our system is: 1. Self-contained and infrastructure-free (hosted entirely within the GitHub repository). 2. Reproducible, with every scan logged and versioned. 3. And extensible, allowing future integrations such as SBOM correlation, badge generation, or full CVE tracing.

To validate the approach, we conducted an experiment with a deliberately vulnerable container image. We introduced five progressive modifications, mimicking common development scenarios— partial fixes, regressions, dependency updates—and tracked the resulting scan output over time. This demonstrated the system’s ability to capture both improvements and degradations in a project’s security posture.

The primary goal of this research is to develop and evaluate a practical and transparent method to visualize the evolution of vulnerabilities in container images over time—something that is rarely supported out of the box in existing security tools. We aim to bridge the gap between DevSecOps automation and historical awareness, empowering development teams to track not just if they are secure, but how that security is evolving with each build.

The integration of security scanning within CI/CD pipelines has become a cornerstone of modern DevSecOps practices [ 14 ]. Numerous tools—including Trivy, Grype, and Snyk—offer automated vulnerability scanning at build time, enabling teams to shift security left and detect issues early in the software development lifecycle (SDLC). However, while static analysis and container scanning are now widely adopted, relatively few approaches provide mechanisms for tracking how security posture evolves over time.

A growing body of research has addressed vulnerability detection in container ecosystems. These studies typically focus on quantifying vulnerability prevalence, comparing scanner effectiveness, and assessing the impact of base-image choices [ 15 ].

Wist, Helsem, and Gligoroski [ 16 ] analyzed more than 2,500 Docker Hub images and discovered a high density of vulnerabilities in publicly available containers. Their findings showed that even official images are not immune to risk, though they generally fared better than communitymaintained variants. Importantly, they also highlighted a lack of correlation between image popularity and security, which implies that trusted sources may still harbor critical flaws.

Haque and Babar [ 17 ], in their empirical study Well Begun is Half Done, explored base image inheritance chains across 64,579 real-world GitHub projects. They found that a small number of vulnerable base images led to wide vulnerability propagation downstream, emphasizing the cascading risk of unpatched root layers. Their analysis demonstrates the importance of selecting and maintaining secure foundational images—yet, again, their focus was on static analysis, not temporal tracking.

Kaur et al. [ 18 ] extended this line of inquiry into scientific computing environments, evaluating container images used in disciplines such as neuroscience. Using four scanning tools including Trivy, they demonstrated that regular updates and minimal image design could reduce vulnerabilities by up to two-thirds. This reinforces the practice of image hygiene but also showed that scanner outputs vary significantly, introducing complexity when comparing risk across time or tools.

Another critical angle is explored by Zerouali et al. [ 19 ], who introduced the notion of technical lag—the difference between package versions in containers and their upstream releases. They studied over 7,300 Debian-based containers and concluded that even “latest” tags are often outdated, contributing to latent vulnerabilities and bug exposure. This illustrates that freshness alone is not a guarantee of security and that visibility into versioning gaps is essential.

Despite these contributions, most existing research provides a static snapshot of security status. Studies often benchmark a set of containers at one point in time without exploring how vulnerability profiles shift due to code changes, dependency updates, or changes in upstream images. As such, temporal awareness—how vulnerabilities increase or decrease across commits or builds—remains underexplored.

In addition to container-specific studies, recent research emphasizes the importance of integrating multi-layered security approaches within complex software ecosystems. Milevskyi et al. [ 20 ] propose a multi-contour security methodology for sociocyberphysical systems, highlighting the benefits of combining automated detection with layered protective controls. Similarly, Shevchuk et al. [ 21 ] demonstrate the design of secured authentication, authorization, and accounting services, which can be extended to CI/CD pipelines to enforce access policies and prevent misconfigurations that may introduce vulnerabilities. Lakhno et al. [ 22 ] further stress the role of decision-support systems in managing information protection, suggesting that automated guidance can improve security response times and reduce human error. Additionally, Vakhula et al. [ 23 ] explore cloud security challenges under dynamic orchestration, advocating for “security-ascode” approaches that can complement vulnerability tracking over time. Finally, Harasymchuk et al. [ 24, 25 ] show that structured information classification frameworks and predictive assessment with LLMs can aid in prioritizing remediation efforts, which aligns with the objective of monitoring how vulnerability profiles evolve across CI/CD builds.

Furthermore, few open-source projects address this gap in a reproducible, dashboard-based format that integrates directly with CI/CD. Available enterprise solutions (e.g., Snyk Monitor, GitHub Advanced Security) offer partial historical views, but they are often opaque, require paid plans, and do not easily integrate into custom DevSecOps workflows.

This paper proposes a solution to fill this void: a lightweight, automated, and fully open method for vulnerability trend monitoring in CI/CD. By leveraging Trivy for scanning, GitHub Actions for automation, and Chart.js [25] for visualization, we create a transparent and extensible framework that tracks vulnerability counts over time. This enables teams to assess not just whether vulnerabilities exist, but how their posture is evolving—bringing measurable, historical awareness into security automation.

To evaluate the effectiveness of our approach, we applied the pipeline to a series of deliberately crafted Docker images (v1 to v5), each representing different stages of software hardening or regression. For each version, a Trivy scan was performed via GitHub Actions, and results were appended to a CSV log, forming the data foundation for trend visualization.

The results demonstrate that even with minimal infrastructure, it is possible to gain significant insight into the evolving security posture of containerized applications. Our approach offers several practical advantages and surfaces important considerations regarding real-world DevSecOps adoption.

This paper presents a practical, reproducible method for visualizing vulnerability trends in containerized applications within CI/CD pipelines. By integrating Trivy scans with GitHub Actions and storing results in a time-series CSV format, we enable lightweight security regression trackin —a critical but often missing component of modern DevSecOps practices.

Unlike most point-in-time vulnerability detection tools, our implementation focuses on temporal awareness: understanding how a container’s risk profile evolves. This empowers development teams to make informed decisions, prioritize remediation, and identify the security impact of changes between builds.

The method is especially suitable for small teams, open-source projects, educational environments, and early-stage DevSecOps adoption. It lowers the barrier to historical security monitoring without requiring cloud-native platforms or commercial licenses.

In future work, we aim to extend the system to support full scan traceability, software bill of materials (SBOM) analysis, commit-to-scan correlation, and GitHub-based alerting mechanisms. Our goal is to make historical security awareness as integral to CI/CD as build status and test coverage are today.

While preparing this work, the authors used the AI programs Grammarly Pro to correct text grammar and Strike Plagiarism to search for possible plagiarism. After using this tool, the authors reviewed and edited the content as needed and took full responsibility for the publication’s content. Type II, in: Cybersecurity Providing in Information and Telecommunication Systems, 3991, 2025, 215–232. [25] Mozilla, Working with JSON. https://developer.mozilla.org/en-US/docs/Learn_web_ development/Core/Scripting/JSON [26] Microsoft, Create or Edit .csv Files to Import into Outlook. https://support.microsoft.com/enus/office/create-or-edit-csv-files-to-import-into-outlook-4518d70d-8fe946ad-94fa-1494247193c7 [27] Chartjs. Chartjs. https://www.chartjs.org/ [28] D. Fernández González, J. R. García, J. M. de Fuentes, SecDocker: Hardening the Continuous

Integration Workflow, SN Comput. Sci. 3:80 , 2022. doi:10.1007/s42979-021-00939-4 [29] Amazon, Best Practices for CI/CD Pipelines. https://docs.aws.amazon.com/prescriptiveguidance/latest/strategy-cicd-litmus/cicd-best-practices.html [30] S. Milevskyi, et al., Development of the Sociocyberphysical Systems Multi-Contour Security Methodology, Eastern-Eur. J. Enterp. Technol. 1/9 (127) (2024) 34–51.