The State of Trusted Open Source Report
AI, Python, و "Long Tail" ديال لمخاطر: أهم لخلاصات من تقرير State of Trusted Open Source
AI, Python, and the "Long Tail" of Risk: Key Takeaways from the State of Trusted Open Source Report
TL;DR
The rapid integration of AI into the software development lifecycle is driving a massive surge in both code production and vulnerability discovery. Key trends include a 73% jump in PostgreSQL usage for AI workloads, a 145% increase in unique CVEs, and the reality that 96% of security risks reside in "long tail" projects outside the top 20 most popular images.
The landscape of software development is moving at a velocity few predicted. As AI becomes embedded across the lifecycle—from automated code generation to infrastructure management—it is fundamentally reshaping how teams build, ship, and secure their applications.
The latest State of Trusted Open Source report, based on data from December 2025 through February 2026, analyzes over 2,200 unique container image projects and more than 33,000 vulnerability instances to provide a snapshot of modern production environments.
The AI Effect: Python and PostgreSQL Surge
The data confirms that the modern "AI stack" is standardizing rapidly. Python remains the king of the ecosystem, with 72.1% of all customers utilizing it, reflecting its status as the default language for machine learning and data pipelines.
However, the most significant growth was seen in databases. PostgreSQL usage grew by 73% quarter-over-quarter, the largest increase among all widely deployed images. This surge is directly linked to AI workloads, specifically the use of PostgreSQL for vector search and retrieval-augmented generation (RAG) through similarity-query extensions.
High-Velocity Development, High-Velocity Vulnerabilities
The adoption of AI-driven development tools has created a "tighter feedback loop" between creation and risk. The report highlights a staggering 145% increase in unique CVEs and over 300% more fixes applied compared to the previous quarter.
This explosion in vulnerabilities is attributed to two factors:
- Faster Development: More code is being written and more dependencies are being introduced into production at scale.
- Automated Discovery: Security researchers and bad actors are using AI to analyze code and identify vulnerabilities faster than ever before.
Despite this volume, remediation speeds have remained resilient. The median time to fix a vulnerability held steady at 2.0 days, with 97.9% of high-severity issues resolved within a single week.
The Danger of the "Long Tail"
One of the most critical findings for security leaders is where risk actually lives. While teams often focus their security efforts on popular "top-tier" images, the data shows that 96.2% of CVE instances occurred outside the top 20 most widely used images.
The average customer sources roughly 74% of their images from this "long tail." Because these dependencies are less visible and often not directly owned by core application teams, they represent the primary attack surface for modern enterprises. Attackers are intentionally moving away from high-visibility projects to exploit these "hidden" areas of the supply chain.
Standardization and Customization: The Rise of "Base" Images
While the "long tail" is diverse, the foundational layer is becoming more standardized. Language ecosystems (Python, Node, Java, Go, and .NET) now account for more than half of the top 25 images used in production.
Interestingly, Chainguard-base—a minimal, distroless image with no toolchain—has become the 5th most-deployed image. This suggests a shift in platform engineering: instead of using bloated "off-the-shelf" images, 75% of customers are now customizing minimal base images by adding only the specific utilities (like curl, git, or jq) they need for their specific CI/CD pipelines.
Compliance Becomes a Baseline
The report also signals that regulatory requirements are no longer optional. For the first time, a FIPS-compliant image (python-fips) entered the top 10 most-used images. With 42% of customers now running at least one FIPS image, it is clear that frameworks like the EU Cyber Resilience Act and FedRAMP are pushing secure-by-default configurations into the mainstream.
Conclusion: Security as a System
As we move further into the AI era, the volume of code and the complexity of dependencies will only continue to scale. The primary challenge for organizations is no longer just "patching" but managing a sprawling ecosystem where the majority of risk is hidden in the long tail. Success will depend on treating security not as an afterthought, but as an integral part of the development system itself.
