Red Hat Hardened Images: Filter the noise, focus on the code

In the rush to build at speed, developers have been saddled with a massive hidden cost: call it a vulnerability tax. When they pull a standard container image, they often inherit hundreds of unnecessary packages—and the mountain of Common Vulnerabilities and Exposures (CVE) security alerts that come with them. As a result, projects become mired in CVE management cycles, with development teams who want to ship and security teams who need to lock everything down constantly butting heads. Standard container images are supposed to serve as a ready-made foundation for projects, but organizations can find themselves spending more time patching that foundation than building on it.

The Forum of Incident Response and Security Teams (FIRST) predicts that 2026 will be the first year that will see more than 50,000 published CVEs¹—roughly 136 new vulnerabilities per day that teams will need to analyze. But according to the Cybersecurity and Infrastructure Security Agency (CISA), of the tens of thousands of vulnerabilities disclosed annually, only a tiny fraction—roughly 1,500 entries in the Known Exploited Vulnerabilities (KEV) Catalog—have confirmed evidence of active exploitation in the wild.² 

The problem is finding the signal in that huge volume of noise. Manual triage at that scale is an unsustainable waste of time. If only a small percentage of CVEs are being exploited, how does the security team figure out which ones to focus on as they drown in scanner outputs? Developers, meanwhile, resent being held accountable for operating system (OS) vulnerabilities that they did not create and cannot fix—territory that belongs to the platform, not the application. The scenario is lose-lose for both teams.

The exploding attack surface and the compliance bottleneck

Standard container images are packed with shells, package managers, libraries, and other tools that many applications never use. If these tools are not needed to run the application, they should not be there, because they represent potential opportunities for attackers. This bloated attack surface makes every security scan noisier and every audit harder. For developers, this makes getting an application through security gates or meeting benchmarks much harder. It can also spawn investigations by security teams where they must either prove that perceived vulnerabilities can be remediated, or prove that those vulnerabilities do not present real risks. Either way, this sets up a frustrating friction point between the 2 teams.

A shift toward hardened, minimal foundations

A common practice by security professionals is to harden systems: stripping them down to the essentials by getting rid of or turning off anything that is not needed, and applying best practices from security benchmarks such as, CIS (Center for Internet Security) and STIG (Security Technical Implementation Guides). 

Red Hat® Hardened Images is a catalog of container images that are built in this manner. These images are distroless, security hardened, and free of known CVEs when posted. The goal is to move security and compliance to the very start of the build process. By taking advantage of minimal images that are prehardened and operationally tested, development teams are able to focus on shipping features while security teams can focus on application-level risk. The images are available at no cost and work in any environment, including on-premise hardware, Amazon Web Services (AWS), Microsoft Azure, or Google Cloud. While they can be used as part of the Red Hat ecosystem, the images are distroless so there is no vendor lock-in.

Speed regulatory compliance with cleaner security scans

Security and compliance teams operate under steady regulatory pressure and often struggle with scanner overload. They must show that the infrastructure they manage is controlled, and must produce documented evidence that risk has been mitigated to the level their programs require—whether they are pursuing a FedRAMP Authority to Operate (ATO), a System and Organization Controls (SOC) 2 examination, or Payment Card Industry Data Security Standard (PCI DSS) validation. Details matter: by reducing residual risk early, these teams can simplify what they must later demonstrate about remediation and compensating controls.

How Hardened Images helps 

Hardened Images allows teams to start with a clean scan at the infrastructure layer because images are updated regularly, prehardened, and operationally tested before being posted to the catalog. By using these minimal, distroless images that contain only what the application needs to run, teams reduce the number of components that could be affected by CVEs. Security teams can then concentrate on the code and dependencies that are actually in scope, rather than chasing OS and runtime noise. 

As a result, organizations get a head start on compliance. Images can be built with security profiles applied and validated at creation, which can help to avoid a weeks-long manual audit. Every image includes a software bill of materials (SBOM) in standard Software Package Data Exchange (SPDX) format, giving auditors the transparency they need without requiring extra work from developers. 

Hardened Images provides a number of benefits that speed compliance:

• Fewer false positives and less time spent triaging irrelevant findings.  
• Faster path to ATO and other certifications, with SBOMs available to show auditors that the team is following a rigorous, risk-aware approach.  
• Simple scope split: Hardened Images handle the OS and runtime layer so the development team can focus on application-level dependencies and custom code.

Ease operations and reduce budget pressure for platform management 

Platform and infrastructure teams are challenged with managing vendor sprawl and maintaining multiple gold images for different development teams. Their aim is to simplify and consolidate as much as possible, maintain fewer resources in their library of trusted assets, and avoid cloud costs escalating out of hand. In other words, everything needs to work, be trusted, and stay within budget. 

How Hardened Images helps

Hardened Images is available at no cost, so there is no new vendor to onboard and no separate licensing model for per-image security. Teams get a catalog of no-cost, distroless images, absent any sort of vendor lock-in, that fit into existing continuous integration/continuous delivery (CI/CD) and GitOps workflows. Infrastructure managers can reclaim some budget and reduce the number of third-party security image vendors they need to maintain. Red Hat’s deep involvement in upstream communities, from the OS to language runtimes, allows it to deliver the best of both worlds: rapid access to new features and the long-term support required for stable production. 

Hardened Images provides a number of operational and cost-reducing benefits:

• Native platform integration, with no out-of-band tools or one-off contracts.  
• Fewer vendors to manage and more opportunity to reclaim some budget
• Fine-grained, minimalist images that use fewer resources, cutting cloud costs while speeding deployment pipelines and keeping the security team happy

Reduce toil of vulnerability triage so development teams can focus on features

Development teams often choose base images for functionality and compatibility first. But they are then squeezed between delivery pressure and recurring triage of OS-layer vulnerabilities that come not from their own code but from the underlying platform they inherited from those images. This often results in a fraught relationship between development teams who want to ship features and security teams who need to protect against risk.

How Hardened Images helps

Hardened Images is built to be small, only including what is on the critical path, and are then rigorously tested to make sure that applications actually run on them. This minimalism means fewer security tickets, fewer late-night patching sessions, and less friction with the security team. Images are free to use and portable across on-premise infrastructure, AWS, Azure, and Google Cloud—without any vendor lock-in. 

Users of smaller images will also see more efficient pulls and performance in pipelines. To maintain innovation speed, images are kept current with rigorous testing and vulnerability scanning for swift CVE remediation. 

For users who need to maintain an older runtime (e.g., Java 11) past upstream end-of-life, Red Hat will soon offer long-term support options that address the gap between moving upstream and multiyear certification cycles. 

Hardened Images reduce toil in a number of ways:

• Less time on vulnerability triage, more time on feature code.
• A foundation that just works and is compatible with existing tooling.
• Optional long-term support developed for environments that cannot move at upstream tempo.

Improve transparency and make supply chains more trustworthy 

Organizations in highly regulated industries such as financial services, government, and healthcare need to prove what is in their software supply chain. They need steady production and clear sourcing, balancing compliance mandates and new ideas without limiting delivery.

How Hardened Images helps

Every Hardened Image is built in a trusted Supply-Chain Levels for Software Artifacts (SLSA) 3 pipeline with attestations and an SBOM, so security and compliance teams get a list of what is inside and cryptographic proof of where it came from. Images are verifiable and tamper-resistant, supporting assurance and audit requirements, and specific compliance variants can be selected at build time.

Red Hat has 30 years of open source expertise and contributes directly to the code, so it can keep images current by delivering faster fixes and better stability. As CVEs are continually found and reported, users will always have a transparent view of any potential vulnerabilities and the necessary details to understand the risks. 

Hardened Images boosts transparency by providing:

• A verifiable supply chain and SBOMs in standard formats.
• Compliance-ready variants and optional commercial support with clear service-level agreements (SLAs). 

Visit Red Hat Hardened Images and explore the no-cost catalog of trusted, minimal container images. See how they can reduce scanner noise and speed up the path to compliance. 

For technical reviews and integration guidance, see Red Hat's documentation and developer resources for Red Hat Hardened Images.

Contact Red Hat sales or your account team to discuss upcoming long-term support options for your environment.