Platform
Hardening you can prove.
Every Primcoat image ships with the evidence that describes it — a compliance score, a vulnerability report, a bill of materials, a signature, and provenance.
Hardening policies
Choose a profile. Primcoat selects the matching SCAP Security Guide content for that image's operating system, applies it with OpenSCAP, auto-remediates what it can, and then re-scans to score the result.
CIS Level 1
The baseline benchmark. Practical hardening that does not usually break a general-purpose server.
CIS Level 2
Defense-in-depth for environments where security outranks convenience.
DISA STIG
The Security Technical Implementation Guides required across US federal and defense programs.
Custom
Start from a benchmark and record explicit, documented exceptions where a control genuinely does not apply to your environment.
Builds fail closed
Set a compliance threshold and a CVE severity budget on the image definition. If a build comes in under the threshold, or carries a vulnerability you said you would not accept, the build fails and nothing is published.
This is the difference between a scan and a gate. A scan tells you an image was non-compliant after it reached production. A gate keeps it from getting there.
What every build produces
These are generated automatically and retrievable through the API. There is no separate step you have to remember to run.
- Compliance report
- The post-hardening OpenSCAP evaluation, with a score and a per-rule result for the profile you selected.
- CVE scan report
- Known vulnerabilities in the packages present in the finished image, with severity counts you can gate a build on.
- SBOM
- A complete software bill of materials, emitted in both CycloneDX and SPDX so it fits whichever toolchain you already run.
- Signature & provenance
- A Cosign signature over the artifact, plus SLSA build provenance describing how and from what the image was produced.
Secrets stay out of the image
License keys, API tokens, and enrollment credentials are encrypted at rest and injected as environment variables during the build. They are never written to the image filesystem.
After the build, Primcoat scans the finished image for the secret values it was given, and fails the build if it finds one. An agent that needed a token to install should not leave that token sitting on every machine you deploy.
Hand your auditor the evidence, not a promise.
Compliance scores, SBOMs, CVE reports, signatures, and provenance — on every image, automatically.