In the documentation we refer to our container images on several places, especially in installation documentation, where we have, besides others:

If immutable containers are your thing, then check out Debezium’s container images (alternative source on DockerHub) for Apache Kafka, Kafka Connect and Apache Zookeeper, with the different Debezium connectors already pre-installed and ready to go.

This and other mentioned of our container images may be interpreted by the users that the containers are production ready and fully supported. However, this is not the case - the images are build and provided only for testing, demo and evaluation purposes. We don't test the container images per se, we don't do any active security analysis of the content of the images and while we try to address all the security issues related to Debezium itself ASAP, we don't track Kafka and other base images for security update and don't update our base images when there is any security-related fix in the base images.

This should be clearly stated in our documentation, at least in the installation guide. Not sure how much detail we should provide, but at least we should mentioned that the images are not ready for production use and there may contain security vulnerabilities.

Maybe we can also provide a note that for production users should use containers provided by vendors which are able to provide all these securities scans, fixes and provide overall support for the container images.