Using Hardened Images
Understand how ImageSentinel hardens container images and how to use them effectively.
How Hardening Works
ImageSentinel applies multiple layers of hardening to every base image. Our process starts with a hardened minimal base and adds runtime-specific protections for each language and framework.
1. Base Layer Reconstruction
We rebuild base images from scratch on a minimal, hardened foundation to ensure every component is current, trimmed, and verifiable.
2. Vulnerability Scanning
Continuous scanning against NVD, OSV, and vendor advisories identifies and removes vulnerable packages.
3. Attack Surface Reduction
We remove unnecessary packages, shells, and utilities to minimize potential attack vectors.
4. Signing & Attestation
Every image is signed with Sigstore and includes SBOM and provenance attestations.
Available Images
We provide hardened versions of popular base images:
# Language runtimes
registry.imagesentinel.io/python:3.12-hardened
registry.imagesentinel.io/python:3.11-hardened
registry.imagesentinel.io/node:20-hardened
registry.imagesentinel.io/node:18-hardened
registry.imagesentinel.io/go:1.21-hardened
registry.imagesentinel.io/rust:1.74-hardened
registry.imagesentinel.io/java:21-hardened
# Base images
registry.imagesentinel.io/base:latest
registry.imagesentinel.io/static:latestImage Variants
Each image comes in multiple variants to suit different use cases:
| Variant | Description | Use Case |
|---|---|---|
| :latest-hardened | Full image with shell | Development, debugging |
| :latest-minimal | No shell, minimal | Production workloads |
| :latest-static | Static binary only | Compiled languages (Go, Rust) |