Yes. Even images built internally are often based on external base images and can contain complete packages from open-source repositories. Given recent incidents of repository poisoning and weak governance of open-source projects, organizations must take charge of ensuring the security of components used in internally built images.