Blog

Ongoing Container Maintenance for Security and Compliance

Jonny Rivera

December 30, 2025

Building a secure base and compiling from source form the foundation of container security. But DevSecOps teams face a bigger challenge: proving that images remain secure and compliant over time.

Manual patching, dependency auditing, and compliance verification turn yesterday’s secure container into today’s liability. Your team needs automation.

In this blog, we’ll highlight how ActiveState Secure Containers provide a blueprint for DevSecOps teams to achieve ongoing container security.

Zero-CVE Testing and VEX Advisories

ActiveState Secure Containers pass through rigorous automated testing before distribution. The standard is simple: zero effective CVEs. Multiple SCA tools scan for vulnerabilities and verify hardening scores during pre-release testing. Continuous monitoring follows:

False Positives: When a CVE shows no exploitability or impact within the minimized container, we mark it as “not affected.”

VEX Advisories: ActiveState issues a Vulnerability Exploitability eXchange (VEX) document for all cases. Your team filters out scanner noise, focuses on genuine threats, and eliminates hours of manual triage work.

Continuous Security Through Managed Maintenance

ActiveState shifts the maintenance burden from your team to our managed service. We keep images secure and compliant without interrupting your workflow.

Nightly Rebuilds: We automatically rebuild every ActiveState container nightly from verified source components. Your images incorporate the latest security patches and updates without manual intervention.

Strict Remediation SLAs: Service-level agreements guarantee 5 days for Critical CVEs, 10 days for highs, and 30 days for all others. We handle the highest-priority, time-sensitive security work for you.

Verifiable Provenance for Audit Confidence

To support continuous compliance, every image ships with verifiable proof of its integrity.

Detailed SBOMs: Comprehensive Software Bills of Materials give you total, auditable visibility into all components, licenses, and security status.

Cryptographic Signing: We cryptographically sign images upon distribution, guaranteeing the image you pull remains untampered.

Close the Loop on Container Security


ActiveState frees your technical team to focus on product development instead of manual security maintenance. We automate the entire container building and maintenance lifecycle, keeping your managed service secure, compliant, and deployment-ready.

Why Choose ActiveState?

ActiveState manages the full, continuous lifecycle of your secure containers:

We save your team massive amounts of time and eliminate manual security overhead.

We provide the industry’s most rigorous maintenance standard, backed by nightly rebuilds and strict SLAs.

We ensure SLSA-3 compliant provenance and guarantee audit readiness.

This comprehensive, managed process protects you against the hundreds of millions of dollars in fines associated with breaches in regulated sectors.

Download the ActiveState Container Hardening Guide to see the whole end-to-end workflow in detail.

Frequently Asked Questions

Why isn't building a secure base image enough for ongoing container security

A container that passes every check at build time begins accumulating new exposure the moment it's deployed. New CVEs are disclosed continuously against the open source components inside it. Compliance requirements evolve. Base images drift from their original state as the surrounding dependency landscape changes. Without a structured process for rebuilding, rescanning, and revalidating images on a regular cadence, the security posture established at build time degrades over time — often silently, without any alert to the team running the workload. Ongoing maintenance isn't a secondary concern. It's where the security guarantee either holds or breaks down.

What is a VEX advisory and how does it reduce scanner noise?

A Vulnerability Exploitability eXchange (VEX) document is a machine-readable statement that describes whether a specific CVE is actually exploitable in a given component or container, given its build configuration and minimization. When a CVE has no exploitability or impact in a hardened, distroless container — because the vulnerable code path, shell, or package manager it would require has been stripped out — a VEX advisory marks it as "not affected." This allows your scanner to filter out false positives automatically rather than routing them to your triage queue as genuine findings. For teams running hardened images, VEX advisories can eliminate a significant portion of scanner output that would otherwise consume engineering time to investigate and close.

What do ActiveState's container remediation SLAs actually commit to?

ActiveState's remediation SLAs are contractual commitments, not targets. Critical CVEs are remediated within 5 business days, high-severity CVEs within 10 business days, and all other CVEs within 30 business days. The SLA is backed by nightly rebuilds: every ActiveState container is automatically rebuilt from verified source components each night, incorporating the latest security patches without requiring manual intervention from your team. When a new vulnerability is disclosed, the affected component is identified, a patched version is sourced from upstream, the container is rebuilt, rescanned, and redistributed — all within the SLA window and without your team having to open a ticket, coordinate a patch, or validate a rebuild.