“Secure Containers”, “Hardened Images”, “Low-to-No CVE Container Images”…
If you or your team has recently been tasked with improving container security, this is just a small sampling of the terminology you may see when evaluating potential solutions.
As container security continues to evolve into a board-level priority, so has the language used to describe the security practices that surround them. Unfortunately, this language isn’t always consistent. Terms such as minimal image, hardened image, and secure image are often used interchangeably, typically to imply that a container is safe from vulnerabilities. Yet in reality, each of these terms has specific meaning, each describing a slightly different layer of protection.
In this blog, we’ll break down some of the most common terminology found in the container security space, how they relate to one another, and what to look out for when evaluating solutions for container security posture. Understanding the differences isn’t just semantics; it’s essential for knowing where your team stands today and how to improve going forward.
What is a Minimal Image?
A minimal container image describes the practice of including only the components that are absolutely necessary for an application to run within the image. By removing software such as shells (like bash or sh), package managers (such as apt), and debugging tools, minimal images dramatically reduce the number of potential vulnerabilities. The logic is simple: fewer components means a smaller attack surface.
The concept of minimization can also be applied to the components that make up a container image. In addition to limiting the number of overall components, it’s possible to strip other unnecessary elements such as files and directories that aren’t needed in the final image, documentation, specific libraries, debug symbols, and more! While careful testing is required to ensure image functionality remains intact, the reward is a smaller, cleaner, and more secure image.
Key Benefits Include:
- Faster pull times and easier distribution
- Reduced attack surface
- Simplified license and compliance management
However, a minimal image doesn’t automatically mean it’s secure. While the unnecessary packages may be gone, what remains still needs to be configured and maintained correctly.
What is a Hardened Image?
A hardened container image goes a step beyond minimalism. After stripping elements out of a container, hardening focused on locking down what remains and enforcing secure configurations. Secure defaults, restricted permissions, and careful configuration make it harder for attackers to gain a foothold.
Techniques for Hardening may include:
- Restricting user privileges
- Enforcing read-only file systems
- Disabling unnecessary services or network access
That said, teams do need to be aware of the impact these changes may have on the languages, packages, and software running in your container. Similar to stripping containers of unnecessary components or files, over-hardening can break functionality if the application expects access to resources that are no longer available. Teams should always test hardened images to confirm they still meet performance and usability requirements.
Ultimately, a hardened image is about resilience. By combining both minimization and container hardening best practices it ensures that even if a vulnerability goes unfixed, exploitation becomes significantly more difficult. What a hardened container doesn’t promise is that it will stay that way.
What is a Secure Image?
A secure (or low-to-no CVE) container image brings these practices together, combining minimization, hardening, and ongoing maintenance to complete the picture. Together, these practices create “defense in depth.” Instead of only reacting to CVEs once discovered, secure images are designed to proactively reduce the chance of vulnerabilities existing in the first place.
A container image that was secure last week may be vulnerable today if new CVEs are disclosed. That’s why secure images are typically tied to remediation SLAs, ensuring critical vulnerabilities are patched and rebuilt within defined timeframes.
Secure container images also typically provide the required metadata, and cryptographic artifacts to prove that everything within the image is what it says it is. With the rise of supply chain attacks (such as the challenges faced by the npm repository), trust is critical for maintaining overall security and compliance.
A secure container image typically includes:
Trusted provenance: Every component is built from verified source, not precompiled binaries from unknown origins.
Cryptographic signing: Images are signed to verify authenticity and detect tampering.
Detailed SBOMs (Software Bills of Materials): Every dependency and its version are documented for visibility and compliance.
Continuous monitoring and remediation: New vulnerabilities trigger rebuilds and patches under defined SLAs.
VEX advisories: Notifications that clarify whether a discovered CVE truly impacts the image.
In short, a secure image is a maintained image. It’s continuously rebuilt, revalidated, and re-signed as dependencies evolve and new CVEs are discovered.
How Do Minimal, Hardened, and Secure Images Relate?
Minimal, Hardened, and Secure container images are all interrelated. Instead of thinking about these terms as totally isolated topics, it helps to think about them as three stages in a maturity model for container security.
| Stage | Focus | Example | Goal |
| Minimal Image | Remove unnecessary components | A distroless base image with no shell | Reduce attack surface |
| Hardened Image | Lock down configurations and permissions | A non-root Nginx image with read-only filesystem | Prevent exploitation |
| Secure Image | Ensure provenance, integrity, and maintenance | A cryptographically signed image with SBOM and CVE remediation SLA | Sustain long-term trust, security and compliance |
Each stage builds on the previous one. Minimization creates the foundation, hardening strengthens it, and security ensures its ongoing reliability.
Why Do These Distinctions Matter?
Without clear definitions, it’s easy to overestimate the security of your containers. Many “secure” images in public registries are simply minimized, not hardened, and rarely maintained. Container security failures often stem from assuming that less automatically means safe. But minimal images can still be vulnerable, and hardened images can still drift out of compliance if not maintained.
The distinctions between these terms clarify where your current processes sit and where the gaps are:
- If your base image comes from a public registry, it’s likely minimal at best.
- If you apply runtime restrictions and configuration policies, you’re moving toward hardening.
- If you maintain full provenance, signing, and SLAs, you’ve reached the secure stage.
ActiveState Secure Containers
At ActiveState, we’ve built our Secure Containers to embody each of these principles in full.
Every image has been fully minimized and hardened, every component built from source, and each image is tested, signed, and published with a complete SBOM and VEX advisory to ensure full transparency.
More importantly, we don’t stop at release. Our images are rebuilt nightly, monitored for new CVEs, and remediated within strict SLAs (7 days for critical vulnerabilities, 14 for all others). This allows teams to maintain vulnerability-free containers without the overhead of manual patching.
In other words, we’ve taken the philosophy behind “minimal,” “hardened,” and “secure” and turned it into a repeatable, automated process so teams can focus on building new applications, not managing the complexities of container security.
Join Us October 28th!
To learn more about image hardening and minimization, join us on October 28th at 11:00am EST for a free webinar – Securing the Pipeline: Turning Vulnerable Containers into Trusted Assets
In this 20-minute session, we’ll walk through practical strategies to harden your images, lock down your dependencies, and secure your CI/CD pipelines against software supply chain attacks. We hope to see you there!
