Introducing: The ActiveState Secure Container Catalog
Jonny Rivera
November 12, 2025

Frequently Asked Questions
What is the ActiveState Secure Container Catalog and what can I find there?
The ActiveState Secure Container Catalog is a dedicated browsing and evaluation tool available at catalog.activestate.com that gives developers, DevOps engineers, and security teams a complete view of ActiveState's secure container images before pulling them. Each image in the catalog displays real-time CVE counts by severity refreshed daily, VEX advisories that clarify which vulnerabilities actually represent exploitable risk, a full component list including every package, version, and license, build-time SBOMs for compliance documentation, and architecture and compatibility information. The catalog also displays ActiveState images alongside their community-maintained counterparts, so teams can compare security postures and component lists side by side rather than having to pull images and run separate testing to understand the difference.
How is the ActiveState Secure Container Catalog different from DockerHub or other public registries?
Public registries like DockerHub are distribution platforms. They serve images but do not provide the security evaluation data that teams need to make an informed decision before adopting an image. To assess the security posture of a community image from DockerHub, a team typically has to pull the image, run a scanner, interpret the results, and then manually compare against alternatives. The ActiveState Secure Container Catalog surfaces that information directly in the browsing experience, including CVE severity breakdowns, VEX advisory context, complete SBOM data, and a direct side-by-side comparison against community alternatives, so due diligence happens before the pull rather than after.
What is a VEX advisory and why does the catalog surface them alongside CVE counts?
A CVE count tells you how many known vulnerabilities exist in a component. A VEX (Vulnerability Exploitability eXchange) advisory tells you whether those vulnerabilities are actually exploitable given the specific build configuration of the image. A hardened, minimal container may include a component that has a CVE, but if the vulnerable code path requires a shell or package manager that has been stripped out of the image, the vulnerability has no practical attack surface. Without VEX context, scanner output can inflate the apparent risk of a well-hardened image. The catalog surfaces VEX advisories alongside CVE counts so teams can evaluate actual exploitable risk rather than raw vulnerability counts, which is the relevant metric for a security decision.


.png)
.png)
.png)