Enterprise-grade Container Security Features

Deep dive into the security features that make ImageSentinel the choice for engineering teams who take supply chain security seriously. From CVE-free images to automated patching.

Security Features

CVE-free Container Images

Every image delivered by ImageSentinel is scanned and verified to have zero known critical or high-severity vulnerabilities. Our continuous monitoring ensures your images stay clean.

  • Continuous vulnerability scanning against NVD, OSV, and vendor advisories
  • Automatic patching of discovered vulnerabilities within hours
  • Detailed vulnerability reports with remediation guidance
  • Integration with your existing security tools and dashboards
terminal
# Pull a hardened Python image
docker pull registry.imagesentinel.io/python:3.12-hardened

# Verify zero CVEs
imagesentinel scan registry.imagesentinel.io/python:3.12-hardened

✓ Image scanned successfully
✓ Critical vulnerabilities: 0
✓ High vulnerabilities: 0
✓ Image is production-ready

Hardened Minimal Base

Built on a hardened minimal base designed for containers. No shell, no package manager, no legacy OS baggage—just what your app needs to run.

  • Minimal runtime surface to shrink the attack window
  • Deterministic builds suitable for supply-chain verification
  • High compatibility via language-specific runtimes (Node, Python, Java, etc.)
  • Daily rebuilds/refresh policies to keep runtimes current
Dockerfile
# Example multi-stage Dockerfile with a hardened runtime
# 1) Build stage
FROM node:20-bookworm AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

# 2) Runtime stage (hardened minimal base)
FROM imagesentinel.io/node:20
WORKDIR /app
COPY --from=build /app ./
# Minimal base has no shell; run your app directly
CMD ["server.js"]

Cryptographic Image Signing

Every image is signed using Sigstore's keyless signing infrastructure. Verify the authenticity and integrity of your images before deployment with a single command.

  • Keyless signing with Sigstore Cosign
  • Transparency log entries for all signatures
  • Easy verification in CI/CD pipelines
  • Policy enforcement with admission controllers
terminal
# Verify image signature
cosign verify registry.imagesentinel.io/python:3.12-hardened \
  --certificate-identity-regexp=".*@imagesentinel.io" \
  --certificate-oidc-issuer="https://accounts.google.com"

Verification for registry.imagesentinel.io/python:3.12-hardened --
The following checks were performed:
✓ Transparency log entry verified
✓ Signature verified against certificate
✓ Certificate chain verified

Complete SBOM Generation

Every image ships with a complete Software Bill of Materials in SPDX and CycloneDX formats. Know exactly what's in your containers for compliance and security audits.

  • SPDX and CycloneDX format support
  • Full dependency tree with versions
  • License information for compliance
  • VEX (Vulnerability Exploitability eXchange) attestations
sbom.json
# Download SBOM for an image
imagesentinel sbom registry.imagesentinel.io/python:3.12-hardened \
  --format cyclonedx --output sbom.json

# Example SBOM output
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "components": [
    {
      "type": "library",
      "name": "python",
      "version": "3.12.1",
      "purl": "pkg:deb/debian/python3.12@3.12.1"
    }
  ]
}

Automated Patching Pipeline

Set up once, stay secure forever. ImageSentinel automatically rebuilds and patches your images when new vulnerabilities are discovered, without any manual intervention.

  • Webhook notifications for new image versions
  • GitHub Actions and GitLab CI integration
  • Configurable auto-update policies
  • Rollback support with image versioning
.github/workflows/update-images.yml
# .github/workflows/update-images.yml
name: Update Base Images

on:
  repository_dispatch:
    types: [imagesentinel-update]

jobs:
  update:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Update base image reference
        run: |
          imagesentinel update-refs \
            --image ${{ github.event.client_payload.image }} \
            --digest ${{ github.event.client_payload.digest }}
      
      - name: Create PR
        uses: peter-evans/create-pull-request@v5
        with:
          title: "chore: update base image"
          commit-message: "Update to patched base image"

Minimal Attack Surface

Our images contain only the essential packages needed to run your application. No shells, no package managers, no unnecessary binaries—just what you need and nothing more.

  • Minimal hardened variants available for all base images
  • No shell access in production images
  • Stripped debug symbols and documentation
  • Typical image size reduction of 80-90%
terminal
# Compare image sizes
docker images

REPOSITORY                              SIZE
ubuntu:22.04                            77.8MB
python:3.12                             1.01GB
registry.imagesentinel.io/python:3.12   47.2MB  ✓

# No shell = no shell exploits
docker run registry.imagesentinel.io/python:3.12 sh
OCI runtime error: exec failed: no such file

Integrates With Your Stack

ImageSentinel works seamlessly with your existing CI/CD pipelines and container registries.

CLI Tool

Full-featured CLI for scanning, verifying, and managing hardened images locally or in CI.

npm install -g @imagesentinel/cli

GitHub Actions

Pre-built actions for image scanning, SBOM generation, and automated updates.

uses: imagesentinel/scan-action@v1

Registry Mirror

Drop-in replacement for Docker Hub and other registries with automatic hardening.

registry.imagesentinel.io/

Ready to secure your containers?

Get started with hardened container images in under 5 minutes.

Get Early AccessView Quick Start Guide