Great minds think alike. A shame they didn't think to clarify...
Exactly, what is the criteria for "contains a vulnerability" when you are basically scanning an entire OS image which is likely to only execute a single binary?
Some of the major images have been stripped down to the minimal number of executables and libraries for the application to run, but even then they do not compile a custom version of every shared library that only includes the functions that are actually likely to get called..
You could for example create a Dockerfile that starts off by importing an entire debian base system, then add a standard full apache install and PHP interpreter. You then bundle in your 'application' which consists of a single PHP script with a single line that echos the requesting users IP address.
Let's say that the base debian image contains an outdated version of apt which has a buffer overflow vulnerability. If the apt-get dist-upgrade command is executed with the -y flag then a malicious mirror can send a specially crafted response that executes arbitrary code... I assume that image contains a severe vulnerabily (arbitrary code execution as root!)?