ActiveState containers have everything you need to run your app and nothing else, all delivered in a regularly updated, low-to-no vulnerability container image. From the base layer to app dependencies, ActiveState’s secure containers offer complete customization, full provenance, and none of the patching chaos.
Jump to an FAQ:
ActiveState Secure Containers are minimal, low-to-no CVE container images for popular programming languages, frameworks, and applications. They’re built using a distroless foundation and compiled from source to maximize security while minimizing attack surface.
Unlike typical container images from public registries, ActiveState containers use a custom distroless base (containing only essential dependencies with no shell, package manager, or debugging tools), build all components from source rather than using pre-compiled binaries, and undergo nightly rebuilds with strict remediation SLAs to maintain near-zero vulnerabilities.
A distroless image is a minimal container that doesn’t include a full Linux distribution. It contains only the application and its runtime dependencies, deliberately excluding standard OS components like package managers, shells, and debugging tools to reduce attack surface.
Yes, the latest versions of ActiveState Secure Containers are available for free on DockerHub. These include popular programming languages for deployment, developer variants, and useful applications.
Yes, ActiveState offers a fully managed custom container build service using their catalog of over 40 million secure open-source components. Custom images can include specific configurations, additional packages, or application components tailored to your exact requirements.
Free images are published on DockerHub at hub.docker.com/u/activestate. Custom images can be pushed directly to your private registries for streamlined CI/CD integration.
Yes, Docker lists ActiveState as a “Verified Publisher,” a designation for providers of high-quality images that help development teams build secure software supply chains.
ActiveState maintains industry-leading remediation SLAs of 7 days for critical and high CVEs, and 14 days for all other vulnerabilities. All images are rebuilt nightly and automatically remediated when vulnerabilities are detected.
When a CVE has no upstream fix available, ActiveState issues a VEX (Vulnerability Exploitability eXchange) advisory documenting the status and impact. These advisories are published on their GitHub page and can be integrated with SCA scanning tools.
If a CVE is determined to have no impact on the image, ActiveState issues a “not affected” advisory with detailed justification documented in an associated VEX file. All advisories are published to their GitHub page.
Images are rebuilt nightly and scanned using multiple SCA tools including Docker Scout, Trivy, and Grype. All images must produce zero effective CVEs to pass testing.
Images pass through automated testing for functionality, minimization benchmarking, hardening benchmarking (using tools like crane, cosign, grype, and trufflehog), vulnerability assessment, and metadata verification including signature and SBOM validation.
Building from source provides supply chain trust, allows complete control over dependencies for minimization, enables audit readiness with detailed SBOMs, and accelerates patching by allowing immediate rebuilds without waiting for upstream binary updates.
The ActiveState Platform is an SLSA-3 compliant build service that automatically builds open-source software from source code, stores it in their catalog of over 40 million secure components, and packages it into container images—eliminating time-consuming compilation and dependency resolution tasks.
Images are assembled according to the Open Container Initiative (OCI) image specification, starting with ActiveState’s custom distroless base, layering secure open-source components compiled from source, and applying minimization and hardening configurations throughout the process.
All ActiveState containers use a custom distroless base image containing only Glibc built with bare minimum requirements. A “dev” variant based on minimized busybox is also available for development use cases requiring shell access.
ActiveState removes unnecessary files and directories, documentation, specific libraries, debug symbols from binaries, and other non-essential components. Each modification is carefully tested to ensure image functionality remains intact.
ActiveState containers provide complete visibility and traceability through detailed buildtime SBOMs, cryptographic signatures for image verification, and comprehensive VEX advisories for all identified vulnerabilities. This documentation makes audits straightforward and supports compliance in regulated industries.
Yes, ActiveState Secure Containers are designed for organizations in regulated industries that require strict tracking of software components and reproducible builds. The source-based build process ensures audit readiness and provides the necessary metadata to prove container contents and verify trustworthiness.
SLSA (Supply-chain Levels for Software Artifacts) is a framework for ensuring software supply chain integrity. ActiveState uses an SLSA-3 compliant build service through the ActiveState Platform, which securely and repeatedly builds components from source with proper attestation and provenance tracking.
Building from source provides supply chain trust by ensuring only verified code is included, eliminates reliance on potentially compromised pre-built binaries, generates detailed metadata and SBOMs at build time, and enables organizations to reproduce builds for compliance verification and audit purposes.
Yes, all ActiveState Secure Containers are cryptographically signed using Cosign. Organizations can verify signatures to ensure the image they pull is exactly what ActiveState built—untampered and authentic. This verification is critical for maintaining secure software supply chains in compliance-sensitive environments.
Yes, every ActiveState Secure Container is published with a detailed buildtime Software Bill of Materials (SBOM) and cryptographic signature, providing full visibility into components and ensuring authenticity for compliance and audit purposes.
When vulnerabilities are detected, ActiveState provides transparent documentation through VEX advisories published on their GitHub page. Each advisory includes detailed status information, impact statements, justifications, and remediation timelines, supporting compliance reporting requirements.
Each ActiveState Secure Container includes a complete buildtime SBOM detailing all components, cryptographic signatures for verification, associated VEX documents for any identified vulnerabilities, and provenance information showing the build process and source of all components.
Nightly automated rebuilds ensure containers remain current with the latest security patches and maintain compliance with remediation SLAs. This continuous maintenance approach means organizations don’t need to manually track and patch vulnerabilities, reducing the burden of maintaining compliance documentation and audit trails.
Yes, ActiveState’s custom container service can build images to meet specific compliance requirements, including particular hardening configurations, specific package versions required by compliance frameworks, additional security controls, and customized metadata and documentation to satisfy organizational or regulatory standards.
ActiveState is actively working with leading SCA providers to integrate their VEX advisory feed directly into scanning products. This integration allows organizations to automatically incorporate ActiveState’s vulnerability assessments into their existing compliance and security workflows.
ActiveState provides container images for popular programming languages (for both deployment and development use cases), frameworks, and useful applications. Their catalog includes over 40 million secure open-source components that can be customized into containers.
ActiveState benchmarks every image against comparable DockerHub images, aiming to achieve a total image size within 10-20% of the nearest comparison while providing superior security through minimization and hardening.
The standard distroless images do not include a shell. However, ActiveState provides a “dev” variant based on minimized busybox that includes shell access for development use cases, allowing basic system exploration at the cost of slightly increased attack surface.
If an image fails to meet required standards at any point in the testing pipeline, it is sent back for reconstruction, further minimization, or hardening as needed. Only images that successfully pass all testing stages are published.
The ActiveState Platform automatically resolves dependency conflicts during the build-from-source process, eliminating the time-consuming manual work typically required when compiling software.
The latest versions of all ActiveState Secure Containers are available for free on DockerHub and ready to integrate into existing CI/CD workflows. Simply pull the images from hub.docker.com/u/activestate.
For teams requiring custom configurations, additional packages, or further hardening, ActiveState’s custom container service provides full support. Contact ActiveState to discuss your specifications and try your first custom container image free.
Custom images are pushed directly to your private registries, allowing for streamlined CI/CD integration and making it easy to remain vulnerability-free without manual intervention.
ActiveState handles the entire remediation process when vulnerabilities are identified. The automated build system rebuilds affected components from source, runs images through the testing pipeline, and delivers updated images to your repositories with complete documentation—no manual patching required.