Hardened, ready, and no cost: Container security evolved

Today, we’re announcing the general availability (GA) of Red Hat Hardened Images. This is a no-cost catalog of container images that ships security fixes rapidly, helping teams stay ahead of CVEs rather than constantly chasing them. We’ve handled the heavy lifting of image thinning and hardening so your teams can stop chasing false positives and focus on what truly matters: your code and the security of your applications.

We started this journey under Project Hummingbird. If you've been following it, you've watched us refine the content, images, and delivery approach with hundreds of early access users. What started as an experiment to reduce container attack surface has evolved into a production-ready catalog of over 45 images spanning more than 150 variants, all built on Red Hat's trusted software pipeline. Project Hummingbird will continue to be the innovation engine that produces Red Hat Hardened Images. 

Figure 1. Hardened Images catalog

The problem: CVE volume meets zero tolerance

We started Project Hummingbird after talking to dozens of organizations and hearing the same frustration over and over again: container security had become an expensive time sink.

CVE counts have exploded beyond what teams can reasonably manage. Currently, there are on average around 160 CVEs reported every day, and between automated scanners and AI-assisted discovery tools, we're expecting to see that number continue to climb. A single container scan can flag hundreds of vulnerabilities. Figuring out which ones actually matter across a large estate running tens of thousands of containers can feel like treading water.

Risk tolerance is shrinking under regulatory, geopolitical, and AI-related pressures. Compliance frameworks and organizational security policies increasingly demand that teams address every flagged vulnerability, regardless of whether it's exploitable. When container images contain unneeded packages and dependencies, it can make this standard impossible to meet.

The solution: Less surface, faster fixes

Red Hat Hardened Images exists to help users who feel the pressure from this new reality. Less software means fewer CVEs. When your image contains only what your application needs to run, the triage question becomes simpler: if it's in the image, it matters. And when it matters, our highly autonomous pipeline delivers fixes fast.

Red Hat Hardened Images focuses on technologies where Red Hat has upstream engagement and production experience, and can deliver meaningful support. The GA catalog spans languages, runtimes, databases, web servers, and utilities that power enterprise workloads, including Python, Node.js, Go, Java, .NET, PostgreSQL, Valkey, Nginx, and HAProxy, among others. These represent the core open source components that organizations consistently tell us matter most as a foundation for their applications.

We are growing the catalog, and doing so deliberately. When we add a new image, we’re making a commitment to closely track the primary technology and all relevant dependencies and vulnerabilities, so we can deliver support with the same rigor we apply to the rest of the catalog. We prioritize quality over quantity.

Every image follows a consistent hardening approach: 

• Distroless architecture: Images include no shell by default, no package manager, and no unnecessary components that expand the attack surface.
• Multiple variants: Default images aim to strike the balance of distroless principles with compatibility with existing upstream images. Builder images retain the hardening, and enable package installation to help customize builds. There are also FIPS-validated variants for regulated environments, and architecture-specific builds (AMD64 and Arm64) for different deployment targets.
• Holistic hardening: Everything about the images is hardened, from the source provenance and compiler options, to image security defaults and overall minimization. Hardening is done at every level, and compliance-related configuration is verifiable via OpenSCAP.
• Trusted supply chain: Dependencies come from Red Hat's SLSA3 build pipeline, maintaining a verifiable chain of trust from source to artifact.
• Automated remediation: Our pipelines track upstreams and security feeds in order to build, test, and deliver fixes, typically within hours of a vulnerability being fixed.

Try Red Hat Hardened Images today

Red Hat Hardened Images is now generally available. Every image in the catalog is free of charge to use and may be used on any Linux distribution, version of Kubernetes, or container engine. If you are interested in specific images that are not currently offered, please let us know via the Request an image button on the website.

We also know that some users need longer lifecycle options than what is currently provided by upstreams. In the near future, we plan to offer long-term support (LTS) images to support these needs. LTS will be optional and made available via a simple subscription model.

We're grateful to the hundreds of early access users who tested these images, reported issues, and pushed us to refine our approach. Your feedback shaped what we're releasing today.

Those who are new to Red Hat Hardened Images can get started by exploring the catalog.