ActiveState’s Container Hardening Guide provides a strategic framework for maintaining secure, low-to-no CVE container images in a landscape where 90% of organizations use containers in production.
The guide identifies four primary risks in standard container development: outdated base images from public registries, complex dependency chains, misconfigured Dockerfiles, and overly permissive runtime environments. To mitigate these threats, ActiveState employs a "defense in depth" strategy centered on two pillars: minimization and hardening. Minimization focuses on reducing the attack surface by removing unnecessary tools like shells and package managers, while hardening locks down remaining components through secure defaults and restricted permissions.The assembly process begins with a custom "distroless" base image that includes only essential runtime dependencies, such as Glibc, drastically reducing the footprint compared to standard Linux distributions. A critical differentiator is ActiveState's commitment to building all open-source components from source.
This SLSA-3 compliant process ensures supply chain trust, allows for deeper optimization, and enables rapid patching—often before upstream binaries are available. Every image undergoes rigorous automated testing, including functionality checks, size benchmarking, and multi-tool CVE scanning.To ensure ongoing security, ActiveState rebuilds images nightly and adheres to strict remediation SLAs: seven days for critical/high CVEs and 14 days for all others. For vulnerabilities without an immediate fix, the company issues VEX advisories to provide transparency for customer SCA tools. By offloading the "undifferentiated engineering work" of manual patching and custom image maintenance, ActiveState allows teams to integrate verified, signed, and audit-ready containers directly into their CI/CD pipelines.
