Over several decades, ActiveState has addressed a critical challenge in software development: securing the open-source landscape. However, this landscape is changing rapidly, and the way customers use open-source software has evolved. With the rise of cloud-native development, containers are increasingly becoming a popular delivery model for packaging and deploying software.

In November of last year, we announced several enhancements to further assist customers in identifying, managing, and remediating open-source risks, building on our nearly 30 years’ experience and secure open source catalog of more than 40M components. However, many customers working with containers still lacked a quick solution for container images laden with vulnerabilities.

That’s why we’re excited to announce ActiveState Secure Containers—our fully customizable, secure-by-default container images. These images leverage our open-source catalog featuring over 40 million unique artifacts to provide end-to-end image security from the base OS to application dependencies.

But wait, haven’t we heard this story before? In the last few months, we’ve seen several new entries into the secure, hardened container market. It’s apparent that more than ever, commercial container providers are being asked by their customers to secure the foundation. DevOps and Security teams want a plug-and-play solution that replaces vulnerable container images with trusted, low-to-no CVE versions rebuilt from the ground up.

However, we’ve observed that this problem is more complicated than simply securing the base layer of a container image.

The Challenge with Secure Containers

Although a market for hardened base images has emerged, these images typically only contain a fraction of what’s required to run most applications or offer limited customization options. To meet today’s complex and varied development needs, teams must further customize these images by manually building and securing multiple layers of application dependencies on top. This process forces teams to spend cycles creating the infrastructure to build and maintain these custom images. Worst of all, this process makes it easy to reintroduce vulnerabilities, as many popular dependencies pull from public repositories where provenance is difficult to prove. 

While the industry has seemingly solved the challenge of secure base images, Security and DevOps teams need more than a secure starting point; they need to know that their container requirements, from the OS level to app dependencies, are assembled regularly from a known source and free from CVEs. The dream is end-to-end, vulnerability-free containers without burdening development teams with the manual work required to get there.

ActiveState’s Approach to Container Security

Our approach to container security doesn’t start and end with another distroless version of Linux (although that is a small part). Instead, our approach flips the script and begins by asking what needs to happen after securing the foundation. 

While users of our images don’t need to adopt new tooling or change their usual workflows, we’ve built out three key pieces of technology that make end-to-end container security possible at scale.

It all begins with our industry-leading catalog of secure open-source components. Using the catalog, customers can access over 40 million secure components rebuilt from source to meet their unique application requirements. Need Python for ML use cases? We’ve got that. Need Java for web apps? We’ve got that too. How about Go, Perl, Node? We’ve got you covered. Our catalog is growing everyday, supports the most popular open-source languages and ecosystems and prevents vulnerable packages from entering the container environment.

However, customizing an image alone isn’t that useful if no mechanism exists to maintain it. To manage the container build process, we’ve tapped our automated and secure build system to perform and automate image customization. This tooling allows teams to offload the overhead of managing custom images and instead enables them to inherit unmatched speed, scale, and efficiency. Once assembled, images are rebuilt nightly with signed SBOMs and attestations and come with a standard remediation SLA of 7 days for critical CVEs and 14 days for all others. Further hardening is available on demand to achieve compliance standards such as FedRAMP, FIPS, etc. 

Finally, none of this would have been possible if we hadn’t started by securing the base layer ourselves. Today, our first set of base container images has been made freely available via Docker Hub. These images cover many popular languages, including Python, Java, Node, and more, and use our newly developed distroless base image as the foundation. These images slot right into your CI/CD pipeline and provide a secure foundation for customization. In the future, additional containers will be made available at no charge.