VERITY

Container images ship with packages — OS and application-level — that accumulate CVEs daily. Upstream maintainers patch on their own schedule — if at all. That leaves you choosing between manually rebuilding every image or running known-vulnerable containers in production.

Verity eliminates that trade-off. It continuously scans images, patches them in-place with Copa (no Dockerfile rebuild), and publishes signed, attested, drop-in replacements.

157
Images
14
Categories
amd64 + arm64
Platforms
FIPS
Available

How it works

1
Discover — images from Helm charts and copa-config.yaml
2
Scan — Trivy detects known CVEs
3
Patch — Copa fixes packages in-place (no rebuild)
4
Sign — cosign + SLSA L3 + SBOM attestations
5
Publish — pushed to ghcr.io/verity-org
Runs daily at 02:00 UTC and on every config change. Source

Use a patched image

Replace your image reference. That's it.

# Pull a patched image
docker pull ghcr.io/verity-org/library/redis:8.6.0
Every image is signed and attested. Compliance details
78 Copa-patched upstream images | 79 Wolfi-based hardened images | 3 Helm wrapper charts | cosign signed + SLSA L3 + CycloneDX SBOM

Helm Charts

View all →

Drop-in Helm wrapper charts with all image references pre-patched.

prometheus v28.9.1
helm install prometheus oci://ghcr.io/verity-org/charts/prometheus --version 28.9.1
3 patched image overrides
2482
victoria-logs-single v0.11.26
helm install victoria-logs-single oci://ghcr.io/verity-org/charts/victoria-logs-single --version 0.11.26
2 patched image overrides
21
postgres-operator v1.15.1
helm install postgres-operator oci://ghcr.io/verity-org/charts/postgres-operator --version 1.15.1
2 patched image overrides
1231

Image Catalog

Covering the full cloud-native stack — from language runtimes to service mesh, databases to CI/CD. Every image is scanned, patched, signed, and published to ghcr.io/verity-org.

Languages & Build Tools

15
golang
FIPS 3 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ golang
python
2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ python
node
2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ node
rust
2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ rust
ruby
2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ ruby
dotnet
2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ dotnet
erlang
Wolfi-Based
0 CVE
ghcr.io/verity-org/ erlang
openjdk
2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ openjdk
php
2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ php
deno
Wolfi-Based
0 CVE
ghcr.io/verity-org/ deno
gcc
Wolfi-Based
0 CVE
ghcr.io/verity-org/ gcc
gradle
Wolfi-Based
0 CVE
ghcr.io/verity-org/ gradle
maven
Wolfi-Based
0 CVE
ghcr.io/verity-org/ maven
bazel
Wolfi-Based
0 CVE
ghcr.io/verity-org/ bazel
ko
Wolfi-Based
0 CVE
ghcr.io/verity-org/ ko

Web Servers & Proxies

12
caddy
FIPS 2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ caddy
nginx
FIPS 2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ nginx
httpd
Wolfi-Based
0 CVE
ghcr.io/verity-org/ httpd
haproxy
Wolfi-Based
0 CVE
ghcr.io/verity-org/ haproxy
traefik
Wolfi-Based
0 CVE
ghcr.io/verity-org/ traefik
envoy
Wolfi-Based
0 CVE
ghcr.io/verity-org/ envoy
nginx-s3-gateway
Patched
0 CVE
ghcr.io/verity-org/ nginxinc/nginx-s3-gateway
haproxy-ingress
Wolfi-Based
0 CVE
ghcr.io/verity-org/ haproxy-ingress
ingress-nginx-controller
Patched
0 CVE
ghcr.io/verity-org/ kubernetes/ingress-nginx/controller
kube-webhook-certgen
Patched
0 CVE
ghcr.io/verity-org/ kubernetes/ingress-nginx/kube-webhook-certgen
ingress-defaultbackend
Patched
0 CVE
ghcr.io/verity-org/ kubernetes/ingress-nginx/defaultbackend
tomcat
Patched
0 CVE
ghcr.io/verity-org/ library/tomcat

Databases & Caching

21
postgres
2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ postgres
redis
Patched
5771
ghcr.io/verity-org/ library/redis
valkey
Wolfi-Based
0 CVE
ghcr.io/verity-org/ valkey
mongodb
Patched
0 CVE
ghcr.io/verity-org/ mongodb/mongodb-community-server
mariadb
Wolfi-Based
0 CVE
ghcr.io/verity-org/ mariadb
elasticsearch
Patched
84749
ghcr.io/verity-org/ library/elasticsearch
opensearch
Patched
0 CVE
ghcr.io/verity-org/ opensearchproject/opensearch
opensearch-dashboards
Patched
0 CVE
ghcr.io/verity-org/ opensearchproject/opensearch-dashboards
cockroachdb
Patched
1321
ghcr.io/verity-org/ cockroachdb/cockroach
clickhouse
Patched
0 CVE
ghcr.io/verity-org/ clickhouse/clickhouse-server
rqlite
Patched
0 CVE
ghcr.io/verity-org/ rqlite/rqlite
influxdb
Wolfi-Based
0 CVE
ghcr.io/verity-org/ influxdb
memcached
Wolfi-Based
0 CVE
ghcr.io/verity-org/ memcached
pgbouncer
Wolfi-Based
0 CVE
ghcr.io/verity-org/ pgbouncer
redisinsight
Patched
19124
ghcr.io/verity-org/ redis/redisinsight
eck-operator
Patched
1211
ghcr.io/verity-org/ elastic/eck-operator
postgres-operator
Patched
1231
ghcr.io/verity-org/ zalando/postgres-operator
Redis (OpsTree)
Patched
0 CVE
ghcr.io/verity-org/ opstree/redis
Redis Sentinel (OpsTree)
Patched
0 CVE
ghcr.io/verity-org/ opstree/redis-sentinel
minio
Wolfi-Based
0 CVE
ghcr.io/verity-org/ minio
minio-client
Wolfi-Based
0 CVE
ghcr.io/verity-org/ minio-client

Messaging & Streaming

8

Kubernetes & Orchestration

21
kubectl
Wolfi-Based
0 CVE
ghcr.io/verity-org/ kubectl
helm
FIPS 2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ helm
etcd
Wolfi-Based
0 CVE
ghcr.io/verity-org/ etcd
karpenter
Patched
0 CVE
ghcr.io/verity-org/ aws/karpenter
cluster-autoscaler
Patched
0 CVE
ghcr.io/verity-org/ kubernetes/autoscaler/cluster-autoscaler
external-dns
Patched
0 CVE
ghcr.io/verity-org/ kubernetes-sigs/external-dns
kube-state-metrics
Wolfi-Based
0 CVE
ghcr.io/verity-org/ kubernetes/kube-state-metrics/kube-state-metrics
kubernetes-reflector
Patched
0 CVE
ghcr.io/verity-org/ emberstack/kubernetes-reflector
secrets-store-csi-driver
Patched
0 CVE
ghcr.io/verity-org/ kubernetes-sigs/secrets-store-csi-driver
secrets-store-csi-provider-gcp
Patched
0 CVE
ghcr.io/verity-org/ googlecloudplatform/secrets-store-csi-driver-provider-gcp
k8s-sidecar
Patched
0 CVE
ghcr.io/verity-org/ kiwigrid/k8s-sidecar
configmap-reload
Wolfi-Based
0 CVE
ghcr.io/verity-org/ configmap-reload
node-feature-discovery
Patched
0 CVE
ghcr.io/verity-org/ kubernetes-sigs/node-feature-discovery
k3s
Patched
0 CVE
ghcr.io/verity-org/ rancher/k3s
crossplane
Wolfi-Based
0 CVE
ghcr.io/verity-org/ crossplane
terraform
FIPS 2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ terraform
eks-distro-coredns
Patched
0 CVE
ghcr.io/verity-org/ aws/eks-distro/coredns/coredns
eks-distro-kube-apiserver
Patched
0 CVE
ghcr.io/verity-org/ aws/eks-distro/kubernetes/kube-apiserver
eks-distro-kube-scheduler
Patched
0 CVE
ghcr.io/verity-org/ aws/eks-distro/kubernetes/kube-scheduler
eks-distro-kube-proxy
Patched
0 CVE
ghcr.io/verity-org/ aws/eks-distro/kubernetes/kube-proxy
eks-distro-csi-node-driver-registrar
Patched
0 CVE
ghcr.io/verity-org/ aws/eks-distro/kubernetes-csi/node-driver-registrar

Service Mesh & Networking

12
istio/proxyv2
Wolfi-Based
0 CVE
ghcr.io/verity-org/ istio-proxyv2
istio-pilot
Wolfi-Based
0 CVE
ghcr.io/verity-org/ istio-pilot
istio-install-cni
Wolfi-Based
0 CVE
ghcr.io/verity-org/ istio-install-cni
cilium-agent
Wolfi-Based
0 CVE
ghcr.io/verity-org/ cilium
cilium-hubble-ui
Patched
0 CVE
ghcr.io/verity-org/ cilium/hubble-ui
calico-cni
Wolfi-Based
0 CVE
ghcr.io/verity-org/ calico-cni
calico-kube-controllers
Wolfi-Based
0 CVE
ghcr.io/verity-org/ calico-kube-controllers
calico-typha
Wolfi-Based
0 CVE
ghcr.io/verity-org/ calico-typha
calico-apiserver
Wolfi-Based
0 CVE
ghcr.io/verity-org/ calico-apiserver
calico-csi
Wolfi-Based
0 CVE
ghcr.io/verity-org/ calico-csi
calico-node-driver-registrar
Wolfi-Based
0 CVE
ghcr.io/verity-org/ calico-node-driver-registrar
calico-key-cert-provisioner
Wolfi-Based
0 CVE
ghcr.io/verity-org/ calico-key-cert-provisioner

Monitoring & Observability

18
prometheus
Wolfi-Based
0 CVE
ghcr.io/verity-org/ prometheus
alertmanager
Wolfi-Based
0 CVE
ghcr.io/verity-org/ alertmanager
grafana
Wolfi-Based
0 CVE
ghcr.io/verity-org/ grafana
loki
Wolfi-Based
0 CVE
ghcr.io/verity-org/ loki
mimir
Wolfi-Based
0 CVE
ghcr.io/verity-org/ mimir
thanos
Wolfi-Based
0 CVE
ghcr.io/verity-org/ thanos
telegraf
Wolfi-Based
0 CVE
ghcr.io/verity-org/ telegraf
vector
Wolfi-Based
0 CVE
ghcr.io/verity-org/ vector
pushgateway
Wolfi-Based
0 CVE
ghcr.io/verity-org/ pushgateway
grafana-operator
Patched
0 CVE
ghcr.io/verity-org/ grafana/grafana-operator
prometheus-node-exporter
Patched
1461
ghcr.io/verity-org/ prometheus/node-exporter
prometheus-mysqld-exporter
Patched
0 CVE
ghcr.io/verity-org/ prometheus/mysqld-exporter
prometheus-config-reloader
Patched
0 CVE
ghcr.io/verity-org/ prometheus-operator/prometheus-config-reloader
prometheus-es-exporter
Patched
1231
ghcr.io/verity-org/ prometheuscommunity/elasticsearch-exporter
promtail
Patched
175
ghcr.io/verity-org/ grafana/promtail
datadog-agent
Patched
0 CVE
ghcr.io/verity-org/ datadog/agent
datadog-cluster-agent
Patched
0 CVE
ghcr.io/verity-org/ datadog/cluster-agent
newrelic-infra-bundle
Wolfi-Based
0 CVE
ghcr.io/verity-org/ newrelic-infrastructure-bundle

Logging

5

CI/CD & GitOps

4

Security & Identity

10

Policy & Compliance

6

Cert Management

5

Data & ML

3

Base & Utilities

17
distroless/static
Patched
0 CVE
ghcr.io/verity-org/ distroless/static
busybox
Patched
0 CVE
ghcr.io/verity-org/ library/busybox
bash
Patched
0 CVE
ghcr.io/verity-org/ library/bash
curl
Wolfi-Based
0 CVE
ghcr.io/verity-org/ curl
git
Wolfi-Based
0 CVE
ghcr.io/verity-org/ git
docker-cli
Patched
0 CVE
ghcr.io/verity-org/ library/docker
google-cloud-sdk
Patched
0 CVE
ghcr.io/verity-org/ google/cloud-sdk
powershell
Patched
0 CVE
ghcr.io/verity-org/ powershell/powershell
hugo
Patched
0 CVE
ghcr.io/verity-org/ klakegg/hugo
wordpress
Patched
0 CVE
ghcr.io/verity-org/ library/wordpress
sonarqube
Patched
0 CVE
ghcr.io/verity-org/ library/sonarqube
sonar-scanner-cli
Patched
0 CVE
ghcr.io/verity-org/ sonarsource/sonar-scanner-cli
ntpd-rs
Patched
0 CVE
ghcr.io/verity-org/ pendulum-project/ntpd-rs
dive
Patched
0 CVE
ghcr.io/verity-org/ wagoodman/dive
crane
FIPS 2 variants
Wolfi-Based
0 CVE
ghcr.io/verity-org/ crane
grype
Wolfi-Based
0 CVE
ghcr.io/verity-org/ grype
coredns
Wolfi-Based
0 CVE
ghcr.io/verity-org/ coredns
; ---