Community Spotlight: RapidFort's Hardened Container Images

At least to me, one of the most exciting aspects of the software supply chain security landscape is the abundance of open-source and free-tier offerings. In this blog, I’ll introduce you to RapidFort, a company that may not be on your radar yet despite securing over $10 million in contracts with the Department of Defense and community images with more than 6 million downloads.

If you’re familiar with Iron Bank images, you should know that the DoD uses RapidFort's tooling to create these hardened images. You can access RapidFort's community images commercially on GitHub, where they are available for public use.

The enterprise adoption of containerized applications has surged in recent years, making it increasingly challenging for security measures to keep pace. Compounding this issue is the steady rise in the number of annual CVEs reported, exceeding 40,000 in 2024. A recent study by NetRise revealed that the average container now contains a staggering 604 vulnerabilities 🤯, with more than 40% classified as Critical or High severity on the CVSS scale.

RapidFort Community Images

RapidFort provides free, hardened community images that can be used without license restrictions. These images are functionally equivalent, but without the bloat—unnecessary software components have been removed to reduce its attack surface. RapidFort has its own methodology, but it’s conceptually similar to DockerSlim and other minification tools. This strategy for reducing vulnerability counts has long been known; a 2021 paper found that, in some cases, minification reduced vulnerabilities by more than 70%.

Images supporting Alpine, Debian, Ubuntu, and Red Hat are available for free on the following platforms:

• Iron Bank (for DOD customers)

• Docker Hub

• GitHub 

Looking at Docker Hub, RapidFort manages over 200 repositories containing hardened alternatives to docker official and Bitnami images. The five most popular are:

1. PostgreSQL Official

2. MongoDB® Official

3. NGINX IronBank

4. Microsoft SQL Server 2019

5. Consul IronBank

Each repository details how many packages and vulnerabilities were removed for each hardened image—these are updated daily.

In addition, you can view the complete report on the RapidFort platform to get a sense of the data it gathers. This includes but is not limited to, an SBOM, trace logs, network logs, file discovery, system calls, license information, and container layers.

👋 I can’t say I performed a comprehensive analysis of RapidFort’s SBOM generation and vulnerability scanning, but what I’ve seen looks extremely promising. I took a few projects and compared RapidFort scan results with Trivy’s. Of the three projects tested, Trivy reported just a few more findings, which, upon closer inspection, were all false positives. Trivy was reporting vulnerabilities that only affected specific operating systems or versions, of which RapidFort was mindful.

Conclusion

My exploration of RapidFort's Community Images has genuinely impressed me. Their end-to-end container security management solution story is also very compelling. While the hardened images may not be a silver bullet, they serve as a valuable stepping stone, sparking my interest in their premium offerings. For developers on a tight budget, RapidFort's Community Images provide a great starting point and a free alternative to their premium Curated “near-zero CVE images.”

Join the RapidFort community Slack if you have questions!

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.