The post How Red Hat Hardened Images and Anchore operationalize trust and compliance appeared first on Anchore.

As security engineers, we know the “vulnerability treadmill” isn’t just about patching—it’s about the massive “security tax” paid in manual evidence collection and triaging noise that doesn’t impact real-world risk.

Our collaboration with Red Hat Hardened Images is designed to eliminate this tax at the source. Combining a minimalist infrastructure foundation with a policy-driven supply chain gave us:

• Shifting the focus from “patching everything” to an automated, risk-based posture 
• Satisfying engineering velocity and regulatory mandates like EU Cyber Resilience Act (CRA), PCI DSS 4.0, and FedRAMP

Start with the Hardened Images and keep them that way

Scanning alone cannot fix a bloated foundation. Red Hat Hardened Images attacks CVE fatigue where it is cheapest and fastest: before the findings exist. 

Red Hat partnered with Anchore to help identify new vulnerabilities in the creation of the Hardened Image catalog, and be an integral part of the required (often daily) evolution of the images as they are curated by Red Hat. Anchore provides the most up to date and accurate assessment of new upstream CVEs as they appear. These then feed into the build process of Red Hat as they publish new images to deliver low to zero CVEs to customers at the point of download. Anchore collaborated with Red Hat to ensure that the data published for the Hardened Images themselves via the Red Hat Security feeds is accurate and produces no false positives when users start the scanning process in their own environments. 

To sum it up, Red Hat’s Hardened Images focus on:

• Minimal by Construction: Shipping only what production needs, which means fewer packages, fewer transitive dependencies, and fewer scanner findings.
• SLSA 3 Standards: All images are produced to SLSA 3 build standards, providing a verifiable chain of custody from the start. 
• Accurate vulnerability data: security feeds represent the correct state of the Hardened Images as a unique catalog.

This effort would have not been possible without Anchore’s leading SBOM generation and management capabilities and compliance operations engine. It allows customers to automate vulnerability analysis, and enforce compliance with policy across the lifecycle and ultimately control your supply chain risk and stay compliant by default. 

Stay compliant by default as we automate the burden of proof

While hardened images reduce the volume of vulnerabilities, Anchore Enterprise provides the continuous, SBOM-based visibility required. Depending on the source of the vulnerability, the response for any issues in the Red Hat Hardened Images is tailored. An issue in the Red Hat Hardened Image triggers an alert to pull the latest image. A vulnerability in developer-added content sends an alert to the developer’s toolchain. Only the appropriate team or tool receives the relevant notice.

As global regulations shift the “burden of proof” to the manufacturer, security teams need more than just a list of CVEs; they also need a unified compliance engine.

We have built Anchore Enterprise with these 3 things in mind: 

1. Unified Asset Visibility: Anchore moves beyond simple image scanning to a continuous scan throughout the SDLC. By tracking digital assets and dependencies as mandated by CRA Annex I, teams can generate unified SBOMs for both containerized and non-containerized assets.
2. Precision Triage & VEX: Anchore utilizes VEX (Vulnerability Exploitability eXchange) and risk scoring. This allows engineers to suppress findings tied to unreachable paths or non-exploitable components, focusing human attention only on what materially changes the risk profile.
3. POA&M-as-Code: The manual process of producing a Plan of Action and Milestones (POA&M) is replaced by automated remediation plans and allowlists managed directly within the CI/CD toolchain.

To read more on the actual integrated workflow head over to the RedHat blog for details. 

Why we are pushing for continuous compliance 

The goal of the Red Hat and Anchore partnership is to make compliance the “default” state rather than a point-in-time audit. Together we can build a secure foundation with a SBOM-native policy engine, so organizations can automate the evidence collection needed to satisfy regulatory pressure while focusing on shipping code, not triaging noise.

*** This is a Security Bloggers Network syndicated blog from Anchore authored by teamanchore. Read the original post at: https://anchore.com/blog/how-red-hat-hardened-images-and-anchore-operationalize-trust-and-compliance/