I've been using custom base images for a couple of years now, handling our own hardening process and internal scanning. Initially, it seemed like the right choice, but I'm starting to have doubts. The challenge isn't just the CVEs; it's the ongoing maintenance that's become quite a distraction. With every OS update or vulnerability disclosure, someone from the team is responsible for it, which can add up quickly.
I'm curious at what point maintaining our own hardened images just doesn't make sense anymore compared to using images from a specialized provider. How do engineering managers factor in the hidden costs of DIY, like developer hours and missed patching? Also, for those who have moved to managed solutions, did it actually lessen the workload or just shift it to another area?
I'm left wondering if starting with managed images from the beginning would have changed our situation or if we'd still be facing similar challenges. What has been the decision-making process for teams that have experienced this?
1 Answer
We switched to Chainguard and it made a huge difference for us. It's definitely on the pricier side, but for our compliance needs and limited engineering time, it was worth it. The big advantage with Chainguard isn't just about the security of the base image; they also maintain an updated library of system packages, which is where most of the vulnerabilities come from when using standard distros. Honestly, self-managing those packages becomes a huge headache.
Glad to see someone else here loves Chainguard! Just a heads up, we're adjusting our pricing starting in 2026, so it might be worth checking us out again if you found the costs intimidating. Plus, we’re the only ones claiming zero CVEs in median cases because we’ve invested in our own OS. It's great to hear you're noticing the benefits!