If you ship software in containers, you know the vulnerability treadmill: Scanners surface a flood of CVEs, backlogs swell, and teams chase patch velocity as if it were the core business of the company (as opposed to serving customers and stakeholders). Complicating matters further is when a lengthy scan result fails to answer the key question that matters: Which of these findings would materially change our risk if we fixed them now?
Much of that added load and increased pressure is noise. Results contain findings tied to packages that never run, paths that are not reachable, or components that are effectively owned and maintained elsewhere. Treating every line item like a production incident does not enhance your security footprint. It makes you slower on the issues that actually count.
For many organizations, there is a shift underway is from "patch everything" to a minimalist, risk-based posture:
- Reduce noise at the source with hardened, intentionally small foundations with minimal container images.
- Add continuous, SBOM (software bill of materials)-grounded visibility and policy so teams can prove what they ship, enforce what they promise, and focus remediation on what they control.
Start with eliminating the noise at the source. Red Hat Hardened Images reflects a deliberate approach to ship container images that are minimal by construction, aligned to only what production needs, not a general-purpose "everything but the kitchen sink" build. Fewer packages and fewer binaries means fewer places for defects to hide, fewer transitive pulls, and fewer scanner findings.
Then look at the SBOMs. Compliance teams care about them for traceability, but platform and application engineers should care too because the SBOM is the map of what you're willing to defend. A smaller, intentional manifest tends to correlate with lower attack surface, less triage noise, and faster remediation when something real appears, because you know exactly what's affected and which images contain the component in question.
Keeping images protected and compliant
To help us tackle this challenge, Red Hat teamed up with Anchore, a leader in the SBOM-powered supply chain security space. Anchore is widely regarded for their compliance operations engine, which enterprises trust to generate and manage SBOMs, automate vulnerability analysis, and enforce compliance with policy across the lifecycle. Their goal is to enable you to control your supply chain risk and stay compliant by default.
Red Hat is collaborating with Anchore not only to help identify new vulnerabilities in the creation of the Red Hat Hardened Image catalog, but to be an integral part of the required (often daily) evolution of the images in the customer environment. As new CVEs are announced or injected upstream, Anchore is able to scan images being used in development or in production to check whether they are impacted. If the issue is in the Red Hat Hardened Image, then an alert can be sent to trigger a pull of the latest image from the Red Hat repository. If the vulnerability is in content a developer has added to the image, then an alert can be sent to the developer's toolchain.
Critically, only the relevant team or tool receives the appropriate notice. Anchore's policy engine can also enforce use of Red Hat Hardened Images so that no images from upstream or other third parties are in use. Throughout the lifecycle of the process, Anchore is capturing and storing the SBOM of all images to ensure compliance needs are met.
The integrated workflow
Here's how it works, from start to finish:
Step 1: The build
Start from a Red Hat Hardened Image with the focus on keeping runtime images lean with minimal attack surface. All images are produced to SLSA3 build standards.
Step 2: The analysis
In CI/CD and registry promotion paths, run continuous Anchore analysis on the built artifact. Practically, that means SBOM generation and importing, vulnerability matching, and rich compliance policy checks.
Step 3: The filter
Use SBOM diffs and workflow discipline to focus on what changed and what is reachable and relevant. The minimal base shrinks the denominator of irrelevant findings, just as intended. The goal is triage that respects human attention spans.
Step 4: Policy enforcement (what fails does not ship)
This is where Anchore's policy engine comes into play. Prior to being promoted to the registry or deployment, images can be assessed for compliance violation based on common standards such as NIST 800-53, 800-190, or FedRAMP. Critical areas are flagged for the appropriate team. If the image is ready to ship, the SBOM is kept for compliance audits.
Try it
Scanning alone cannot fix a bloated foundation. Red Hat Hardened Images attacks CVE fatigue where it is cheapest: before the findings exist. Anchore closes the loop with SBOM-native visibility, continuous scanning, and policy automation. This includes compliance automation and reporting that helps you meet the requirements of frameworks like NIST and FedRAMP, and adapt to regulatory pressure like CRA.
Try it yourself at no-cost at Red Hat Hardened Images.
关于作者
Ben Breard is a Senior Principal Product Manager at Red Hat, focusing on Red Hat Enterprise Linux and Edge Offerings.
