[Kalium]

> I am baffled how anyone at Twistlock decided that this was a useful thing for their product to detect, or why any Twistlock customer trusts it given issues like this.

If I was injecting something malicious into your containers via updates, this is exactly how I would go about doing it and exactly what would catch it.

What I'm seeing here is that Twistlock and other tools don't reliably do a good job of explaining why something is flagged in a way that's understandable and accessible to developers. Though honestly I've yet to find any approach to informing developers that actually works.

My favorite was giving them a clear link in the error message about why the build was failing and how to fix it.