Available on AWS Marketplace

Hardened Container Images for AWS

DISA STIG + FIPS hardened base images for federal and DoD workloads. Red Hat UBI 8 and UBI 9 achieve zero STIG failures. Rocky Linux and Amazon Linux 2023 harden to the same controls where the benchmark applies.

Ships minimal. Stays minimal. Automated CVE scanning blocks every release. Images are rebuilt automatically when patches become available — published scan reports mean you always know exactly what's in your image.

View on AWS Marketplace View live scan data →

Compliance

DISA STIG + FIPS hardening

Each image is independently hardened, scanned with OpenSCAP, and must achieve 0 failures before it ships.

STIG + FIPS 140-3

DISA STIG with FIPS 140-3

DISA STIG hardening with FIPS 140-3 compliant userspace cryptography. UBI 8 and UBI 9 validated at 0 failures with ComplianceAsCode v0.1.80. For DoD and federal workloads — FedRAMP, IL2–IL4, and CMMC.

Amazon Linux 2023Red Hat UBI 8Red Hat UBI 9Rocky Linux 8Rocky Linux 9

Supply Chain Security

Signed, attested, and transparent

Every image ships with cryptographic provenance. Verify integrity and inspect the full component inventory before deployment.

Signed with Cosign

Keyless Sigstore signing via GitHub Actions OIDC. Every tag has a verifiable signature in the Rekor public transparency log.

cosign verify \
  --certificate-oidc-issuer \
    https://token.actions.githubusercontent.com \
  --certificate-identity-regexp \
    "mandmstudios/hardened-container-images/.github/workflows/publish.yml" \
  <account>.dkr.ecr.us-east-1.amazonaws.com/<image>:<tag>

SBOM per Image Tag

CycloneDX SBOM generated by Syft, attached as a cosign OCI attestation alongside each image. Retrievable with standard tooling.

cosign verify-attestation \
  --type cyclonedx \
  --certificate-oidc-issuer \
    https://token.actions.githubusercontent.com \
  --certificate-identity-regexp \
    "mandmstudios/hardened-container-images/.github/workflows/publish.yml" \
  <account>.dkr.ecr.us-east-1.amazonaws.com/<image>:<tag> \
  | jq -r '.payload' | base64 -d | jq '.predicate'

Published Compliance Reports

OpenSCAP results and CVE scan data for every image, updated at each release. Inspect findings before subscribing.

→ View live scan dashboard

Validation Status

STIG + FIPS image pipeline

Each image is independently built, scanned with oscap-podman, and must achieve 0 failures before shipping. Scan reports are published with each release.

Image	Benchmark	SCAP Content	Result	Status
Red Hat UBI 8 · STIG+FIPS	DISA STIG RHEL 8 V2R6	CAC v0.1.80	50 pass0 fail2 n/a	✓
Red Hat UBI 9 · STIG+FIPS	DISA STIG RHEL 9 V1R3	CAC v0.1.80	75 pass0 fail2 n/a	✓
Rocky Linux 8 · STIG+FIPS	DISA STIG RHEL 8 V2R6	CAC v0.1.80	48 pass0 applicable fail2 n/a2 inapplicable to Rocky Linux	✓
Rocky Linux 9 · STIG+FIPS	DISA STIG RHEL 9 V1R3	CAC v0.1.80	72 pass0 applicable fail2 n/a3 inapplicable to Rocky Linux	✓
Amazon Linux 2023 · STIG+FIPS	No official DISA STIG	—	STIG-equivalent hardeningno official DISA STIG benchmark	✓
amazonlinux2023-cis-level1	—	—	65 pass1 fail	⚠
amazonlinux2023-cis-level2	—	—	66 pass1 fail1 n/a	⚠

Usage

Drop-in base image

Compatible with any Dockerfile — the hardening lives in the base layer, your application layers run on top unchanged.

            
            Dockerfile
          
FROM <account>.dkr.ecr.us-east-1.amazonaws.com/
    ubi8-stig-fips:latest

# Your application layers
COPY myapp /usr/local/bin/myapp
CMD ["/usr/local/bin/myapp"]

Works with your existing Dockerfile

Use any of the 5 images as a drop-in replacement. STIG hardening is applied at the base layer — no changes needed to your application layers.

Your ECS task role or EC2 instance profile needs one IAM permission: aws-marketplace:RegisterUsage.

Local & CI: Outside AWS, RegisterUsage returns PlatformNotSupportedException and is silently ignored.

Hardened Container Images for AWS

DISA STIG + FIPS hardening

Signed, attested, and transparent

STIG + FIPS image pipeline

Drop-in base image

Works with your existing Dockerfile

Live scan data — updated at every release