PodArmor
Hardened container images with zero outstanding patches.
PodArmor ships hardened container images for the runtimes your teams already use — Java, Node, Maven, Postgres, Redis, nginx, and more. Every published image is rebuilt continuously, scanned with industry-standard tooling (grype + syft), and signed.
The product surface has three parts:
The portal
Browse the catalog, see CVE counts, pull commands, and SBOMs.
The image registry
Public ECR. Pull hardened images directly with docker pull.
The webhooks
Get notified when a new patch lands or a new CVE is published.
The procurement-honest CVE classification
Most container-scanner output is noise. When you scan a hardened image with grype and see "19 CVEs," the question you actually care about is: how many can the customer do anything about today? PodArmor surfaces both numbers separately so procurement reviewers see the truth without being misled:
Outstanding patches
Has a published upstream fix — pull a newer tag and the patch applies.
Won't fix / Awaiting upstream
No patch exists today. Disclosed transparently; auditable on security-tracker.debian.org.
See CVE classification for the full framing, including how Chainguard, DHI, and Minimus apply the same split for their "zero CVEs" headlines.