HN Debrief

Minimus container images are now free

  • Security
  • Infrastructure
  • Open Source
  • Developer Tools

Minimus opened up its Community Edition, making more than a thousand hardened OCI container images free to use. The company says the images are built continuously from upstream source, assembled onto a distroless base, signed, published with a software bill of materials, and offered in both amd64 and arm64. The intended value is simple: swap in these images for standard Docker Hub style bases and cut known CVEs by shrinking the filesystem and rebuilding quickly when upstream components change. Enterprise features like alerting, integrations, image customization, self-hosting, support, and SLAs remain paid.

If you already pay for hardened base images, compare Minimus on practical details, not marketing copy: image coverage, openness, notification workflow, and migration cost. If you try it, treat it like any third-party registry dependency by caching images internally and keeping your own runtime visibility and vulnerability scanning.

Discussion mood

Mostly positive about getting a large free library of hardened images, with real interest from people already sold on minimal continuously patched bases. The main frustration was poor product communication and UX, especially the mobile block, plus predictable skepticism about trust, openness, and long-term dependency on another image vendor.

Key insights

  1. 01

    Treat the registry as cacheable infrastructure

    Because these are standard Open Container Initiative images from a standard registry, the smart way to consume them is through your own pull-through cache or internal mirror. That reframes the lock-in fear. The immediate risk is not that production breaks if Minimus changes terms tomorrow, it is that teams who skip internal caching are creating an unnecessary external dependency in the first place.

    If you pilot these images, put them behind your existing registry mirror on day one. Make provider swaps and outage isolation part of the rollout plan, not a cleanup task.

      Attribution:
    • itintheory #1
    • morellonet #1
  2. 02

    Fast rebuilds do not replace image inventory

    Building continuously from upstream cuts exposure to stale packages, but it also means fixes and compromises propagate quickly. The useful security control is not delaying updates by a few days. It is knowing which images are actually deployed and wiring notifications or rebuild automation to that inventory. That is why runtime-aware scanners and update hooks matter more than a generic “X days old” policy.

    Tie any base-image adoption to deployment inventory and alerting. If you cannot answer which running workloads depend on which image digest, you will not get the full benefit of fast image rebuilds.

      Attribution:
    • pixl97 #1
    • hobofan #1
    • morellonet #1
    • s_ting765 #1
  3. 03

    SBOMs and signatures are helpful, not sufficient

    The trust story here landed in a familiar middle ground. Signed images and cryptographically verifiable software bills of materials improve auditability, but they are still attestations from the vendor unless builds are reproducible and the build process is independently inspectable. Requests for Dockerfiles, CI logs, and open tooling were really requests to move from “trust us with evidence” toward “verify more of it yourself.”

    Use vendor SBOMs and signatures as inputs to your policy, not as a substitute for it. If build transparency matters for your environment, ask for reproducibility details before standardizing on the images.

      Attribution:
    • morellonet #1 #2
    • danudey #1
    • csnoob #1
  4. 04

    The product is clearer once you separate runtime and build variants

    Several practical questions boiled down to one distinction the site did not explain well. The default images are distroless and intentionally sparse. The -dev variants add a shell, apk, and common tooling so you can install extensions, debug, or do multi-stage builds before copying artifacts into a smaller runtime image. That makes the offering much less mysterious for teams used to fuller base images.

    Evaluate these images the same way you would evaluate distroless adoption generally. Plan for a two-image workflow where development and build steps use -dev, while production runs the slimmer runtime image.

      Attribution:
    • assafShapira #1
    • sara_halper #1
    • morellonet #1 #2 #3 #4
  5. 05

    Free images are the funnel, not the business

    The long-term plan appears straightforward. Minimus is betting that image bits become the low-friction entry point, while revenue comes from enterprise controls like SLAs, integrations, self-hosting, SSO, and image creator. That makes the free tier feel less like a temporary promo and more like a distribution strategy, though it does not remove migration cost if the strategy changes later.

    Model this as open access to a proprietary supply chain service, not as a public utility. Before broad adoption, decide which paid enterprise capabilities you would need if free access stayed but governance requirements rose.

      Attribution:
    • morellonet #1 #2 #3

Against the grain

  1. 01

    Another hardened-image vendor can still centralize risk

    The hardest pushback was not about CVE counts. It was about concentration. A service that becomes the trusted source for many “safe” images could become a high-value target, and signed metadata does not erase the fact that customers are trusting one company’s build pipeline at scale. That criticism lands even if the product is competently run, because the risk comes from aggregation itself.

    Do not let lower CVE counts trick you into simpler threat modeling. If one provider starts supplying many of your base images, treat that as supply chain concentration risk and diversify where it matters.

      Attribution:
    • alfanick #1 #2
    • morellonet #1 #2
  2. 02

    The differentiation may be narrower than advertised

    Skeptics challenged whether “more images,” “no signup,” and “agent-ready migration prompts” really answer the core why-versus-Chainguard or why-versus-Docker question. The durable product difference is the build model and resulting attack-surface reduction. The rest is convenience, packaging breadth, and go-to-market. That matters if you already have a hardened image workflow and are deciding whether migration buys enough to justify the churn.

    If you already use Chainguard or Docker Hardened Images, benchmark actual image contents and operational fit before switching. Convenience features are not enough reason to migrate a mature container baseline.

      Attribution:
    • ramon156 #1
    • morellonet #1
  3. 03

    The website undermined technical credibility

    Blocking mobile browsers from even viewing image details felt sloppy for a product selling security and infrastructure rigor. People were not asking for polished responsive design. They were asking not to be artificially blocked from basic evaluation. For a trust-sensitive product, rough edges like this do more damage than they would for a consumer app.

    If you are selling developer infrastructure, basic product access is part of the trust surface. Fix friction in docs, compatibility, and evaluation flow before trying to win technical buyers with security claims.

      Attribution:
    • charukiewicz #1
    • jjice #1
    • nikanj #1

In plain english

amd64
The 64-bit x86 processor architecture used by most servers and desktops.
apk
Alpine Package Keeper, the package manager used by Alpine Linux.
arm64
The 64-bit ARM processor architecture used by many cloud instances, mobile devices, and newer servers.
CVE
Common Vulnerabilities and Exposures, a public identifier assigned to a known security flaw.
distroless
A container image style that strips out most operating system utilities and packages, leaving only what is needed to run the application.
FIPS
Federal Information Processing Standards, a set of U.S. government security standards often required in regulated environments.
OCI
Open Container Initiative, the standards body and format used for container images and registries such as those used by Docker and Kubernetes.
SLSA 3
Supply-chain Levels for Software Artifacts level 3, a security framework level that requires stronger controls and provenance around software builds.
SSO
Single sign-on, a system that lets users access multiple services with one identity provider.
Wolfi
A Linux distribution and packaging ecosystem designed for minimal container images and supply chain security.

Reference links

Minimus documentation and product references

Scanning and security tooling mentioned

  • Trivy
    Named as a scanner readers could use to compare CVE counts across images.
  • Grype
    Named as another scanner for validating the claimed reduction in vulnerabilities.
  • Wiz
    Mentioned as an existing scanner that can inspect these images.
  • AWS Inspector
    Mentioned as another scanner and assessment tool users may already have in place.

Competing or comparable offerings

  • Docker Hardened Images
    Primary comparison point raised by readers asking why Minimus is different.
  • Chainguard Images
    Primary comparison point for free and paid hardened container image libraries.
  • Wolfi
    Cited as an easier-to-trust comparison because of its open source packaging ecosystem.