Blog

Introducing: The ActiveState Secure Container Catalog

Jonny Rivera

November 12, 2025

Let’s address the elephant in the room.

Back in June, we launched ActiveState Secure Containers, our low-to-no CVE container images built from source with full provenance and transparency. It was our answer to one of the biggest headaches in modern DevSecOps, and we were (and still are) pretty excited about it.

But here’s the thing: if you wanted to actually browse those images, evaluate their security metrics, or compare them to community alternatives? Well, you had to head to DockerHub, pull them, and run your own testing. Not exactly the most seamless experience.

Starting today, we’re fixing that.

Introducing the ActiveState Secure Container Catalog

We’re excited to announce the launch of the ActiveState Curated Catalog — a dedicated tool to provide developers, DevOps engineers, and security teams a comprehensive view of our secure container images. No more third-party registries. No more hunting for security information. Just straightforward access to everything you need to evaluate, compare, and pull the images your team needs.

You can see the catalog in action below!

<p>Browse the Catalog</p>

Built for Teams Who Need to Do Their Due Diligence

The ActiveState Secure Container Catalog is built specifically for teams who need to do their due diligence before adopting secure containers. When we talk to development teams about container security, we hear the same frustrations repeatedly:

Developers are tired of spending valuable time triaging CVEs, while Security professionals are stuck trying to enforce policy without slowing development. The dream isn’t complicated: teams want open source to accelerate development, not create endless security work.

The ActiveState Secure Container Catalog addresses these pain points head-on by surfacing the image attributes that actually matter. Every image in the catalog displays the data critical for technical evaluation, including:

  • Real-time vulnerability data: Up-to-date CVE count by severity, refreshed daily
  • VEX advisories: Clear visibility into which vulnerabilities actually pose risk
  • Complete component transparency: Every package, version, and license in the image
  • Build-time SBOMs: Full software bill of materials for compliance requirements
  • Architecture and compatibility: Know exactly what you’re pulling before you pull it

But here’s where it gets even better: the catalog displays ActiveState images alongside their community-maintained counterparts, allowing you to instantly compare security postures, component lists, and vulnerability profiles side by side.

Ready to See the Difference?

No more jumping between registries, no more manual security testing, no more guesswork.The ActiveState Secure Container Catalog is now live with no sign-up required.

Frequently Asked Questions

What is the ActiveState Secure Container Catalog and what can I find there?

The ActiveState Secure Container Catalog is a dedicated browsing and evaluation tool available at catalog.activestate.com that gives developers, DevOps engineers, and security teams a complete view of ActiveState's secure container images before pulling them. Each image in the catalog displays real-time CVE counts by severity refreshed daily, VEX advisories that clarify which vulnerabilities actually represent exploitable risk, a full component list including every package, version, and license, build-time SBOMs for compliance documentation, and architecture and compatibility information. The catalog also displays ActiveState images alongside their community-maintained counterparts, so teams can compare security postures and component lists side by side rather than having to pull images and run separate testing to understand the difference.

How is the ActiveState Secure Container Catalog different from DockerHub or other public registries?

Public registries like DockerHub are distribution platforms. They serve images but do not provide the security evaluation data that teams need to make an informed decision before adopting an image. To assess the security posture of a community image from DockerHub, a team typically has to pull the image, run a scanner, interpret the results, and then manually compare against alternatives. The ActiveState Secure Container Catalog surfaces that information directly in the browsing experience, including CVE severity breakdowns, VEX advisory context, complete SBOM data, and a direct side-by-side comparison against community alternatives, so due diligence happens before the pull rather than after.

What is a VEX advisory and why does the catalog surface them alongside CVE counts?

A CVE count tells you how many known vulnerabilities exist in a component. A VEX (Vulnerability Exploitability eXchange) advisory tells you whether those vulnerabilities are actually exploitable given the specific build configuration of the image. A hardened, minimal container may include a component that has a CVE, but if the vulnerable code path requires a shell or package manager that has been stripped out of the image, the vulnerability has no practical attack surface. Without VEX context, scanner output can inflate the apparent risk of a well-hardened image. The catalog surfaces VEX advisories alongside CVE counts so teams can evaluate actual exploitable risk rather than raw vulnerability counts, which is the relevant metric for a security decision.