Seal My Container
Sealing an existing image without migrations
The Seal My Container feature allows you to remediate Open Source Software (OSS) vulnerabilities in your existing container images with a single command. By replacing vulnerable packages with their sealed, secure counterparts, you can achieve a clean security scan without the overhead of migrating distributions or refactoring hundreds of CI pipelines.
The Problem: The "Base Image" Trap
Many security solutions focus on providing a "hardened" base image. While starting with a clean base is a good practice, it often fails to solve the real-world complexity of enterprise environments:
The "Dirty" Layer: Even on a clean base, as soon as your engineers install third-party packages or internal dependencies via
apt,yum, orapk, they often re-introduce dozens of vulnerabilities.Pipeline Friction: Migrating to a new distribution requires updating every single Dockerfile and CI pipeline—a massive undertaking if you have hundreds of microservices.
Seal My Container bypasses these hurdles. Instead of asking you to change your foundation, we fix the specific packages within your existing images.
How It Works
The seal image fix command operates directly on your built images. It is designed to be a "wrapper" or a post-build step in your registry workflow.
Pull: The Seal CLI downloads your built container from your registry (DockerHub, ECR, GCR, etc.).
Remediate: The CLI identifies vulnerable packages installed via system package managers and replaces them with their sealed versions.
Push: The CLI uploads the remediated image back to your registry under a new tag.
Support Matrix
Feature
Supported
Notes
Package Managers
yum, apt, apk
One of these must be present in the container.
System Packages
Yes
Replaces OS-level binaries and libraries.
Application Artifacts
No*
.jar or .whl files are not replaced by image fix.
Distro Migration
Not Required
Keep your current OS (Ubuntu, RHEL, Alpine, etc.).
* Pro Tip: To fix Java JARs or Python Wheels, you can use
seal fix fsin conjunction withseal image fixduring your build process.
Usage Example
To fix an image, you simply need to point the CLI to your registry. Ensure your environment has the necessary registry credentials configured.
In this example, the CLI pulls v1.0.0, swaps the vulnerable system packages, and pushes the result to v1.0.0-sealed. Your original image remains untouched, providing a safe rollback path.
Popular Use Case: The Registry-Level Fix
The most powerful way to use this feature is as a unified post-build step.
Instead of asking 50 different teams to edit their Dockerfiles, you can set up a single automation that triggers whenever a new image is pushed to your registry. This automation runs seal image fix and produces a "Production-Ready" version of that image automatically.
Benefits:
Zero Developer Friction: Engineers don't need to change how they work.
Global Compliance: You ensure that every image running in your cluster has been remediated, regardless of which team built it.
Immediate ROI: You can secure hundreds of pipelines in an afternoon rather than a quarter-long migration project.
Last updated