displayName
Container Image Hardening
workflowKind
security
triggerType
event-driven
typicalCadence
per-image-build
complexity
single-team
description
Hardens container images against attack surface -- enforcing minimal base
images, scanning for OS and language-level CVEs, removing unnecessary
packages and shells, configuring non-root users, validating Dockerfile best
practices, signing images with cosign/Notary, and gating promotion to
production registries on scan pass. Excludes container runtime security
policies.