II.
Workflow overview
Reference · liveworkflow:container-image-hardening
Container Image Hardening overview
Hardens container images against attack surface -- enforcing minimal base images, scanning for OS and language-level CVEs, removing unnecessary packages and shells, configuring non-root users, validating Dockerfile best practices, signing images with cosign/Notary, and gating promotion to production registries on scan pass. Excludes container runtime security policies.
Attributes
displayName
Container Image Hardening
workflowKind
security
triggerType
event-driven
typicalCadence
per-image-build
complexity
single-team
description
Hardens container images against attack surface -- enforcing minimal base
images, scanning for OS and language-level CVEs, removing unnecessary
packages and shells, configuring non-root users, validating Dockerfile best
practices, signing images with cosign/Notary, and gating promotion to
production registries on scan pass. Excludes container runtime security
policies.
Outgoing edges
applies_to_domain2
- domain:security·DomainSecurity
- domain:cloud-infra·DomainCloud Infrastructure
involves_role2
- role:platform-engineer·RolePlatform Engineer
- role:security-reviewer·RoleSecurity Reviewer
performed_by_org_unit2
- org-unit:platform-team·OrgUnitPlatform Team
- org-unit:security-team·OrgUnitSecurity Team
requires_skill_area2
- skill-area:containerization·SkillAreaContainerization
- skill-area:container-security·SkillAreaContainer Security
triggers_responsibility2
- responsibility:run-security-scans·ResponsibilityRun security scans
- responsibility:approve-deploys·ResponsibilityApprove production deploys
Incoming edges
follows_workflow3
- stack-profile:security-operations·StackProfileSecurity Operations Stack (Trivy, Falco, OPA, Vault, Snyk)
- stack-profile:container-registry-scanning·StackProfileContainer Registry & Scanning (Docker, Trivy, Kubernetes, Go, Snyk)
- stack-profile:vulnerability-management-platform·StackProfileVulnerability Management (Python, Trivy, Snyk, PostgreSQL, React, Docker)