PodArmor docs
Image catalog

Image catalog

What's in the catalog, how images are organised, and how to find what you need.

PodArmor's catalog is organised around two axes:

  • Public vs private. The public catalog (public.ecr.aws/e8w9b9r7/podarmor/*) is anyone-pulls. The private catalog is per-customer and lives in a customer-owned AWS account so internal CI can pull without a credential-swap dance.
  • Build vs deploy. Build images are heavier — they contain Maven / Gradle / npm tooling, are intended for use as a FROM in a multi-stage Dockerfile, and live in the CI pipeline. Deploy images are minimal runtime-only — distroless, non-root, no shell, no package manager.

Most customers have a mix of both per stack.

How to find an image

The portal's Images page lists every image you have access to, with the current CVE counts and pull commands inline. Each image has a detail page covering:

  • Tag history (every published -r{epoch})
  • Outstanding patches vs Won't fix / Awaiting upstream split
  • Side-by-side comparison against the upstream we replace
  • Hardening attestation (non-root, no-shell, distroless, etc.)
  • Full SBOM
  • Per-CVE remediation status

Available image families

A public catalog index is hosted at public.ecr.aws/e8w9b9r7/podarmor. For private catalogs, your portal subdomain is the source of truth.

On this page