Re: Age old problem.
You'd think there'd be some kind of automated dependency/security tool by now that realises that a dependency is out of date, updates it and rebuilds everything that was reliant on it (or contains an unannounced copy of it, which is far more likely!). But no.
You mean like dependabot or renovate? Combined with trivy for SAST scanning? Running on a schedule so you're aware of new vulnerabilities in existing code? No?
Docker doesn't hide things behind complexity/obscurity, its simply a tool for packaging an application as an immutable container. Once you've got this container, you can apply things like trivy to it very simply. It actually makes all this stuff a lot easier.