For platform & security engineers shipping enterprise containers

Hardened reference runtimes you can verify.

ClearCutt is an open-source container hardening blueprint built declaratively using Nix store layers. The catalog below serves as a live worked-example of a production image feed. Downstream platform teams can fork the blueprint to build and govern their own custom internal feeds.

CVE counts on the catalog are refreshed nightly against current vulnerability advisories, so a stable SBOM picks up newly-disclosed issues without a new release. Each image page explains whether a safe fix is available, no fix was found yet, the finding comes from the base image, or the finding is listed for awareness. Dev-tier images include full toolchains and are deliberately not optimized for CVE surface area; never deploy them.

Verification guide → What these tiers mean →

/

39 on v0.8.1 of 39 target slots evidence: 39/39 sig · 39/39 slsa · 39/39 scans

Releases: v0.8.1latest v0.8.0 v0.7.2 v0.7.0 v0.6.5 v0.6.4 v0.6.3 v0.5.0 v0.4.1 v0.2.1

Security & Compliance Audit Legend

Supply Chain Evidence

Green icons indicate verified cryptographically bound evidence attached to the OCI manifest: Sigstore keyless OIDC signature, SLSA Build L3 provenance, and SPDX SBOM.

Gate Passed Vulnerability Gates

Images show Gate Passed when current scan data reports no active Critical or High findings. Counts of outstanding CVE findings display in red (critical) or orange (high) badges.

SHELL-FREE EVIDENCE PINNED

Shell-Free indicates that shells, core utilities, and package managers are omitted from the runtime. Evidence Pinned means the catalog exposes signatures, SBOMs, provenance, and workflow identities separately.

View: Filters are stacked: each adds to the selection above.

Language

distroless

zero shells · hardened runtime

slim

runtime + minimal tooling

dev

build-time · do not deploy

Core

LTS

Nix Blueprint

Target: .#coreLTS-distroless