Unfortunately using dpkg and yum to detect installed software means this isn't a secure audit. Anyone can add known bad binaries after the fact and pretend to provide a "secure" base image. I'd be skeptical of trusting anything quay.io says is secure based on this scan.
It's intended to identify known security vulnerabilities, not identify malicious actors. Someone could add known bad binaries after the fact, but they could also add unknown bad binaries.
We have been doing vulnerability and malware scanning of images at FlawCheck.com for quite some time. If you are interested in scanning everything inside the image, would be happy to demo it.
