Yep differentiation is tricky here. Chainguard are expanding out to VM images and programming language repos, but the core of hardened container images has a lot of options.
The question I'd be interested in is, outside of markets where there's a lot of compliance requirements, how much demand is there for this as a paid service...
People like lower CVE images, but are they willing to pay for them. I guess that's an advantage for Docker's offering. If it's free there is less friction to trying it out compared to a commercial offering.
If you distribute images to your customers it is a huge benefit to not have them come back with CVEs that really don't matter but are still going to make them freak out.
Even if you do SaaS. Some customers would ask you about known vulnerabilities in your images, and making it easy to show quick remediation schedule can make deals easier to close.
> outside of markets where there's a lot of compliance requirements
That includes anyone who wants to sell to the US government (and probably other governments as well).
FedRAMP easentially[1] requires using "hardened" images.
[1]: It isn't strictly required, but without out things like passing security scans and FIPS compliance are more difficult.
Depends what type of shop. If you're in a big dinosaur org and you 'roll your own' that ends up having a vulnerability, you get fired. If you pay someone else and it ends up having a vulnerability you get to blame it on the vendor.
Perhaps in theory, but I’d be willing to wager that most dinosaur orgs have so many unpatched vulns, they would need to fire everyone in their IT org to cover just the criticals