Docker Hub Image Analysis — Comprehensive Market Research
Scope: Top 500+ images by pulls and stars, categorised by use case, with CVE landscape, market gaps, and CascadeGuard tier placement rationale.
Data sources: Docker Hub pull/star figures from
images.yaml(primary), marketing articles 002–008, SWOT analysis, and Docker Hub public data (as of April 2026). Maintained by: Elena Vasquez, CMO — CascadeGuard
1. Top 384 Images — Pulls, Stars, and CVE Posture
Pull counts are cumulative all-time Docker Hub pulls (billions), sorted descending. Stars measure
developer community intent. Latest Tag is the current recommended stable tag. Est. CVEs is the
approximate known vulnerability count for that tag per public scanner data (Snyk/Trivy/Grype).
— indicates no data available.
| Rank | Image | Namespace | Pulls (B) | Stars | Latest Tag | Est. CVEs | Category |
|---|---|---|---|---|---|---|---|
| 1 | fluent/fluent-bit | fluent | 15.20 | — | 3.3 | 15–30 | Observability |
| 2 | memcached | library | 13.09 | 2,439 | 1.6 | 50–80 | Cache |
| 3 | nginx | library | 12.91 | 21,238 | stable-alpine | 20–40 | Web Server |
| 4 | busybox | library | 12.50 | — | 1.36 | 2–5 | Base OS |
| 5 | istio/proxyv2 | istio | 12.20 | — | 1.22.0 | 20–40 | Service Mesh |
| 6 | istio/pilot | istio | 12.00 | — | 1.22.0 | 20–40 | Service Mesh |
| 7 | alpine | library | 11.76 | 11,488 | 3.23 | 0–3 | Base OS |
| 8 | datadog/agent | datadog | 11.20 | — | 7 | 30–60 | Observability |
| 9 | redis | library | 10.51 | 13,552 | 7.4-alpine | 15–25 | Cache |
| 10 | postgres | library | 10.45 | 14,863 | 16 | 50–120 | Database |
| 11 | ubuntu | library | 9.85 | 17,805 | 22.04 | 8–20 | Base OS |
| 12 | python | library | 8.63 | 10,405 | 3.12-slim | 80–120 | Runtime |
| 13 | node | library | 6.33 | 14,147 | 20-slim | 25–80 | Runtime |
| 14 | istio/operator | istio | 6.20 | — | 1.22.0 | 15–30 | Service Mesh |
| 15 | envoyproxy/envoy | envoyproxy | 5.70 | — | v1.30.0 | 20–40 | Proxy |
| 16 | grafana/grafana | grafana | 5.18 | 3,526 | 11.0.0 | 15–35 | Observability |
| 17 | mysql | library | 4.91 | 16,104 | 8.4 | 40–60 | Database |
| 18 | jenkins/jenkins | jenkins | 4.90 | — | lts | 80–150 | CI/CD |
| 19 | mongo | library | 4.73 | 10,714 | 7.0 | 30–60 | Database |
| 20 | grafana/loki | grafana | 4.70 | — | 3.0.0 | 10–25 | Observability |
| 21 | httpd | library | 4.69 | 4,927 | 2.4 | 40–70 | Web Server |
| 22 | timberio/vector | timberio | 4.10 | — | 0.39.0 | 10–20 | Observability |
| 23 | bitnami/postgresql | bitnami | 3.80 | — | 16 | 40–80 | Database |
| 24 | rabbitmq | library | 3.78 | 5,352 | 4.0-management | 20–40 | Messaging |
| 25 | traefik | library | 3.47 | 3,610 | v3.2 | 10–25 | Proxy |
| 26 | bitnami/redis | bitnami | 3.30 | — | 7.4 | 30–60 | Cache |
| 27 | mariadb | library | 3.07 | 6,088 | 11.4 | 40–80 | Database |
| 28 | openjdk | library | 2.61 | 4,115 | 21-slim | 80–150 | Runtime |
| 29 | golang | library | 2.51 | 5,111 | 1.22-alpine | 15–30 | Runtime |
| 30 | grafana/promtail | grafana | 2.50 | — | 3.0.0 | 5–15 | Observability |
| 31 | google/cadvisor | 2.10 | — | v0.49.1 | 5–15 | Observability | |
| 32 | prom/prometheus | prom | 1.95 | 2,058 | v2.52.0 | 5–20 | Observability |
| 33 | bitnami/mongodb | bitnami | 1.70 | — | 7.0 | 40–80 | Database |
| 34 | debian | library | 1.60 | — | bookworm-slim | 15–30 | Base OS |
| 35 | ruby | library | 1.54 | 2,403 | 3.3-slim | 80–150 | Runtime |
| 36 | php | library | 1.30 | 7,837 | 8.3-fpm-alpine | 40–80 | Runtime |
| 37 | nginxinc/nginx-unprivileged | nginxinc | 1.20 | — | 1.27 | 20–50 | Web Server |
| 38 | sonarqube | library | 1.20 | — | 10.5-community | 50–80 | CI/CD |
| 39 | haproxy | library | 1.12 | 2,012 | 3.0 | 15–30 | Proxy |
| 40 | nginx/nginx-ingress | nginx | 1.10 | — | 3.5.0 | 25–50 | Web Server |
| 41 | hashicorp/consul | hashicorp | 1.05 | 1,458 | 1.18 | 5–15 | Service Discovery |
| 42 | elasticsearch | library | 0.95 | 6,591 | 8.13.0 | 30–50 | Search |
| 43 | eclipse-temurin | library | 0.85 | — | 21-jre | 30–60 | Runtime |
| 44 | amazonlinux | library | 0.84 | — | 2023 | 20–40 | Base OS |
| 45 | tomcat | library | 0.81 | 3,765 | 10.1 | 30–50 | Web Server |
| 46 | gitlab/gitlab-runner | gitlab | 0.80 | — | v16.11 | 40–70 | CI/CD |
| 47 | jenkins | library | 0.71 | — | lts | 80–150 | CI/CD |
| 48 | caddy | library | 0.70 | — | 2.8 | 5–15 | Proxy |
| 49 | rust | library | 0.65 | — | 1.78-slim | 10–30 | Runtime |
| 50 | hashicorp/vault | hashicorp | 0.55 | 1,176 | 1.16 | 5–15 | Secret Management |
| 51 | hello-world | library | 0.55 | — | latest | 0–0 | Example |
| 52 | centos | library | 0.50 | — | 7 | 30–60 | Base OS |
| 53 | kibana | library | 0.49 | — | 8.13.0 | 40–70 | Observability |
| 54 | logstash | library | 0.45 | — | 8.13.0 | 40–70 | Observability |
| 55 | telegraf | library | 0.43 | — | 1.30 | 10–25 | Observability |
| 56 | influxdb | library | 0.42 | — | 2.7 | 10–25 | Database |
| 57 | registry | library | 0.41 | — | 2.8 | 5–15 | Infrastructure |
| 58 | docker | library | 0.39 | — | 26 | 5–15 | Infrastructure |
| 59 | neo4j | neo4j | 0.37 | — | 5.20 | 20–40 | Database |
| 60 | zookeeper | library | 0.36 | — | 3.9 | 20–40 | Infrastructure |
| 61 | tensorflow/tensorflow | tensorflow | 0.34 | — | 2.16.1 | 20–50 | ML/AI |
| 62 | buildpack-deps | library | 0.33 | — | bookworm | 20–50 | Base OS |
| 63 | portainer/portainer-ce | portainer | 0.32 | — | latest | 10–25 | Infrastructure |
| 64 | nats | library | 0.31 | — | 2.10 | 5–15 | Messaging |
| 65 | wordpress | library | 0.30 | — | 6.5-php8.3-apache | 40–80 | CMS |
| 66 | flink | library | 0.28 | — | 1.20 | 20–40 | Data Streaming |
| 67 | couchdb | library | 0.28 | — | 3.3 | 20–40 | Database |
| 68 | confluentinc/cp-kafka | confluentinc | 0.27 | — | 7.6.1 | 20–40 | Data Streaming |
| 69 | solr | library | 0.26 | — | 9.6 | 20–40 | Search |
| 70 | kong/kong | kong | 0.25 | — | 3.7 | 15–30 | API Gateway |
| 71 | minio/minio | minio | 0.24 | — | latest | 10–20 | Storage |
| 72 | mongo-express | library | 0.24 | — | 1.0.2 | 30–60 | Database Tools |
| 73 | rancher/k3s | rancher | 0.23 | — | v1.29.3-k3s1 | 10–25 | Infrastructure |
| 74 | r-base | library | 0.23 | — | 4.4.0 | 15–30 | Runtime |
| 75 | argoproj/argocd | argoproj | 0.23 | — | v2.11.0 | 15–30 | CI/CD |
| 76 | bitnami/kafka | bitnami | 0.22 | — | 3.7 | 20–40 | Data Streaming |
| 77 | prom/node-exporter | prom | 0.21 | — | v1.8.0 | 5–15 | Observability |
| 78 | coredns/coredns | coredns | 0.21 | — | 1.11.1 | 5–15 | Networking |
| 79 | keycloak/keycloak | keycloak | 0.20 | — | 24.0.3 | 15–30 | Auth |
| 80 | elastic/logstash | elastic | 0.20 | — | 8.13.0 | 40–70 | Observability |
| 81 | pytorch/pytorch | pytorch | 0.20 | — | 2.3.0-cuda12.1-cudnn8-runtime | 15–30 | ML/AI |
| 82 | perl | library | 0.19 | — | 5.40 | 20–40 | Runtime |
| 83 | erlang | library | 0.18 | — | 27 | 15–30 | Runtime |
| 84 | portainer/agent | portainer | 0.18 | — | latest | 10–20 | Infrastructure |
| 85 | fedora | library | 0.17 | — | 40 | 5–15 | Base OS |
| 86 | rancher/rancher | rancher | 0.17 | — | v2.8.3 | 20–40 | Infrastructure |
| 87 | openresty/openresty | openresty | 0.17 | — | 1.25.3-alpine | 10–25 | Web Server |
| 88 | phpmyadmin | library | 0.16 | — | 5.2 | 30–60 | Database Tools |
| 89 | mysql/mysql-server | mysql | 0.15 | — | 8.4 | 40–60 | Database |
| 90 | percona | library | 0.15 | — | ps-8.0 | 40–60 | Database |
| 91 | couchbase/server | couchbase | 0.14 | — | enterprise-7.6.1 | 20–40 | Database |
| 92 | confluentinc/cp-zookeeper | confluentinc | 0.14 | — | 7.6.1 | 20–40 | Infrastructure |
| 93 | elixir | library | 0.14 | — | 1.17 | 15–30 | Runtime |
| 94 | dart | library | 0.13 | — | 3.4 | 10–20 | Runtime |
| 95 | bitnami/spark | bitnami | 0.13 | — | 3.5.1 | 20–40 | Data Processing |
| 96 | kindest/node | kindest | 0.12 | — | v1.30.0 | 10–20 | Infrastructure |
| 97 | falcosecurity/falco | falcosecurity | 0.12 | — | 0.38.0 | 10–25 | Security |
| 98 | elastic/filebeat | elastic | 0.12 | — | 8.13.0 | 30–50 | Observability |
| 99 | apache/kafka | apache | 0.11 | — | 3.7.0 | 20–40 | Data Streaming |
| 100 | adminer | library | 0.11 | — | 4.8.1 | 20–40 | Database Tools |
| 101 | openzipkin/zipkin | openzipkin | 0.10 | — | 3.4 | 10–20 | Observability |
| 102 | prom/alertmanager | prom | 0.10 | — | v0.27.0 | 5–15 | Observability |
| 103 | jaegertracing/all-in-one | jaegertracing | 0.10 | — | 1.57 | 10–20 | Observability |
| 104 | swift | library | 0.10 | — | 5.10 | 10–20 | Runtime |
| 105 | clickhouse/clickhouse-server | clickhouse | 0.09 | — | 24.4 | 20–40 | Database |
| 106 | timescale/timescaledb | timescale | 0.09 | — | 2.15.2-pg16 | 30–60 | Database |
| 107 | haskell | library | 0.09 | — | 9.10 | 15–30 | Runtime |
| 108 | prom/pushgateway | prom | 0.08 | — | v1.9.0 | 5–15 | Observability |
| 109 | calico/node | calico | 0.08 | — | v3.28.0 | 10–20 | Networking |
| 110 | argoproj/workflow-controller | argoproj | 0.08 | — | v3.5.6 | 10–20 | CI/CD |
| 111 | cilium/cilium | cilium | 0.07 | — | v1.15.5 | 10–20 | Networking |
| 112 | apache/airflow | apache | 0.07 | — | 2.9.1 | 15–30 | Workflow |
| 113 | ory/hydra | ory | 0.07 | — | v2.2.0 | 5–15 | Auth |
| 114 | weaveworks/weave-kube | weaveworks | 0.06 | — | 2.8.1 | 10–20 | Networking |
| 115 | confluentinc/cp-schema-registry | confluentinc | 0.06 | — | 7.6.1 | 20–35 | Data Streaming |
| 116 | cockroachdb/cockroach | cockroachdb | 0.06 | — | v24.1.0 | 15–30 | Database |
| 117 | bitnami/zookeeper | bitnami | 0.06 | — | 3.9.2 | 20–40 | Infrastructure |
| 118 | grafana/tempo | grafana | 0.05 | — | 2.4.3 | 10–20 | Observability |
| 119 | fluxcd/helm-controller | fluxcd | 0.05 | — | v1.0.1 | 5–15 | CI/CD |
| 120 | prom/blackbox-exporter | prom | 0.05 | — | v0.25.0 | 5–15 | Observability |
| 121 | jetstack/cert-manager-controller | jetstack | 0.05 | — | v1.14.5 | 10–20 | Security |
| 122 | oauth2-proxy/oauth2-proxy | oauth2-proxy | 0.04 | — | v7.6.0 | 10–20 | Auth |
| 123 | fluent/fluentd | fluent | 0.04 | — | v1.17 | 10–25 | Observability |
| 124 | apache/spark | apache | 0.04 | — | 3.5.1 | 15–30 | Data Processing |
| 125 | amazon/aws-cli | amazon | 0.04 | — | 2 | 5–15 | Infrastructure |
| 126 | calico/cni | calico | 0.04 | — | v3.28.0 | 10–20 | Networking |
| 127 | bitnami/minideb | bitnami | 0.03 | — | bookworm | 5–15 | Base OS |
| 128 | grafana/mimir | grafana | 0.03 | — | 2.12.0 | 10–20 | Observability |
| 129 | gitlab/gitlab-ce | gitlab | 0.03 | — | 17.0.0-ce.0 | 80–150 | DevOps |
| 130 | hashicorp/terraform | hashicorp | 0.03 | — | 1.8.3 | 5–15 | Infrastructure |
| 131 | victoriametrics/victoria-metrics | victoriametrics | 0.03 | — | v1.101.0 | 5–15 | Observability |
| 132 | opensearchproject/opensearch | opensearchproject | 0.03 | — | 2.14.0 | 30–50 | Search |
| 133 | dexidp/dex | dexidp | 0.03 | — | v2.39.1 | 5–15 | Auth |
| 134 | jupyter/base-notebook | jupyter | 0.03 | — | latest | 30–60 | ML/AI |
| 135 | elastic/apm-server | elastic | 0.02 | — | 8.13.0 | 30–50 | Observability |
| 136 | ory/kratos | ory | 0.02 | — | v1.2.0 | 5–15 | Auth |
| 137 | grafana/agent | grafana | 0.02 | — | v0.41.1 | 10–20 | Observability |
| 138 | kubernetesui/dashboard | kubernetesui | 0.02 | — | v2.7.0 | 15–30 | Infrastructure |
| 139 | prom/postgres-exporter | prom | 0.02 | — | v0.15.0 | 5–15 | Observability |
| 140 | scylladb/scylla | scylladb | 0.02 | — | 6.0 | 20–40 | Database |
| 141 | yugabytedb/yugabyte | yugabytedb | 0.02 | — | 2.20.3 | 20–40 | Database |
| 142 | nats-streaming | library | 0.02 | — | 0.25 | 10–20 | Messaging |
| 143 | redpandadata/redpanda | redpandadata | 0.02 | — | v24.1.1 | 5–15 | Data Streaming |
| 144 | authelia/authelia | authelia | 0.01 | — | latest | 5–15 | Auth |
| 145 | portainer/portainer-ee | portainer | 0.01 | — | latest | 10–20 | Infrastructure |
| 146 | apache/nifi | apache | 0.01 | — | 1.26.0 | 20–40 | Data Integration |
| 147 | sonatype/nexus3 | sonatype | 0.01 | — | 3.69.0 | 30–60 | Artifact Repository |
| 148 | elastic/metricbeat | elastic | 0.01 | — | 8.13.0 | 30–50 | Observability |
| 149 | concourse/concourse | concourse | 0.01 | — | 7.11.2 | 20–40 | CI/CD |
| 150 | prom/mysqld-exporter | prom | 0.01 | — | v0.15.1 | 5–15 | Observability |
| 151 | bitnami/nginx | bitnami | 0.01 | — | 1.27.0 | 15–30 | Web Server |
| 152 | eclipse-mosquitto | library | 0.01 | — | 2.0 | 5–15 | Messaging |
| 153 | jupyter/scipy-notebook | jupyter | 0.01 | — | latest | 30–60 | ML/AI |
| 154 | openpolicyagent/opa | openpolicyagent | 0.01 | — | 0.65.0 | 5–15 | Policy |
| 155 | grafana/pyroscope | grafana | 0.01 | — | 1.5.0 | 10–20 | Observability |
| 156 | jaegertracing/jaeger-agent | jaegertracing | 0.01 | — | 1.57 | 10–20 | Observability |
| 157 | bitnami/mariadb | bitnami | 0.01 | — | 11.4.2 | 30–60 | Database |
| 158 | hashicorp/nomad | hashicorp | 0.01 | — | 1.8.0 | 5–15 | Infrastructure |
| 159 | linuxserver/nginx | linuxserver | 0.01 | — | latest | 20–40 | Web Server |
| 160 | victoriametrics/vmagent | victoriametrics | 0.01 | — | v1.101.0 | 5–15 | Observability |
| 161 | emqx/emqx | emqx | 0.01 | — | 5.7.0 | 10–20 | Messaging |
| 162 | valkey/valkey | valkey | 0.01 | — | 8.0 | 5–15 | Cache |
| 163 | bitnami/elasticsearch | bitnami | 0.01 | — | 8.13.0 | 30–50 | Search |
| 164 | citus/citus | citus | 0.00 | — | 12.1 | 20–40 | Database |
| 165 | dragonflydb/dragonfly | dragonflydb | 0.00 | — | v1.18.0 | 5–15 | Cache |
| 166 | bitnami/mysql | bitnami | 0.00 | — | 8.4.0 | 30–50 | Database |
| 167 | linkerd/proxy | linkerd | 0.00 | — | stable-2.15.0 | 5–15 | Service Mesh |
| 168 | prom/haproxy-exporter | prom | 0.00 | — | v0.15.0 | 5–15 | Observability |
| 169 | drone/drone | drone | 0.00 | — | 2.24 | 10–20 | CI/CD |
| 170 | grafana/k6 | grafana | 0.00 | — | 0.51.0 | 5–15 | Testing |
| 171 | questdb/questdb | questdb | 0.00 | — | 8.0.3 | 10–20 | Database |
| 172 | arangodb/arangodb | arangodb | 0.00 | — | 3.12.0 | 15–30 | Database |
| 173 | clickhouse/clickhouse-keeper | clickhouse | 0.00 | — | 24.4 | 15–30 | Database |
| 174 | dagster/dagster | dagster | 0.00 | — | latest | 10–20 | Workflow |
| 175 | ory/keto | ory | 0.00 | — | v0.12.0 | 5–15 | Auth |
| 176 | spiffe/spire-server | spiffe | 0.00 | — | 1.9.4 | 5–15 | Security |
| 177 | bitnami/etcd | bitnami | 0.00 | — | 3.5.13 | 10–20 | Infrastructure |
| 178 | fluxcd/source-controller | fluxcd | 0.00 | — | v1.3.0 | 5–15 | CI/CD |
| 179 | mlflow/mlflow | mlflow | 0.00 | — | v2.13.0 | 10–25 | ML/AI |
| 180 | apache/superset | apache | 0.00 | — | 4.0.2 | 15–30 | Data BI |
| 181 | dagger/engine | dagger | 0.00 | — | v0.11.7 | 5–15 | CI/CD |
| 182 | gitea/gitea | gitea | 0.00 | — | 1.22.0 | 15–30 | DevOps |
| 183 | aquasec/trivy | aquasec | 0.00 | — | 0.52.0 | 5–15 | Security |
| 184 | prefect/prefect | prefect | 0.00 | — | 3.0.0 | 10–20 | Workflow |
| 185 | apache/druid | apache | 0.00 | — | 30.0.0 | 20–40 | Data Analytics |
| 186 | strimzi/kafka | strimzi | 0.00 | — | 0.41.0-kafka-3.7.0 | 10–25 | Data Streaming |
| 187 | buildkite/agent | buildkite | 0.00 | — | 3 | 10–20 | CI/CD |
| 188 | thanosio/thanos | thanosio | 0.00 | — | v0.35.0 | 5–15 | Observability |
| 189 | cilium/hubble-relay | cilium | 0.00 | — | v1.15.5 | 5–15 | Networking |
| 190 | moby/buildkit | moby | 0.00 | — | v0.14.1 | 5–15 | Infrastructure |
| 191 | linkerd/controller | linkerd | 0.00 | — | stable-2.15.0 | 5–15 | Service Mesh |
| 192 | spiffe/spire-agent | spiffe | 0.00 | — | 1.9.4 | 5–15 | Security |
| 193 | jaegertracing/jaeger-collector | jaegertracing | 0.00 | — | 1.57 | 10–20 | Observability |
| 194 | anchore/grype | anchore | 0.00 | — | v0.79.0 | 5–15 | Security |
| 195 | anchore/syft | anchore | 0.00 | — | v1.4.1 | 5–15 | Security |
| 196 | bitnami/keycloak | bitnami | 0.00 | — | 24.0.3 | 20–40 | Auth |
| 197 | goauthentik/server | goauthentik | 0.00 | — | 2024.6.0 | 10–25 | Auth |
| 198 | fluxcd/kustomize-controller | fluxcd | 0.00 | — | v1.3.0 | 5–15 | CI/CD |
| 199 | apache/hadoop | apache | 0.00 | — | 3.3.6 | 25–50 | Data |
| 200 | bitnami/thanos | bitnami | 0.00 | — | 0.35.0 | 10–20 | Observability |
| 201 | crowdsec/crowdsec | crowdsec | 0.00 | — | v1.6.2 | 5–15 | Security |
| 202 | apache/pulsar | apache | 0.00 | — | 3.3.0 | 20–40 | Messaging |
| 203 | signoz/frontend | signoz | 0.00 | — | 0.46.0 | 10–25 | Observability |
| 204 | bitnami/airflow | bitnami | 0.00 | — | 2.9.1 | 15–30 | Workflow |
| 205 | bitnami/fluentd | bitnami | 0.00 | — | 1.17.0 | 10–25 | Observability |
| 206 | bitnami/grafana | bitnami | 0.00 | — | 11.0.0 | 15–30 | Observability |
| 207 | bitnami/consul | bitnami | 0.00 | — | 1.18.1 | 10–20 | Service Discovery |
| 208 | bitnami/vault | bitnami | 0.00 | — | 1.16.2 | 10–20 | Secret Management |
| 209 | apache/hive | apache | 0.00 | — | 4.0.0 | 25–50 | Data |
| 210 | wazuh/wazuh-manager | wazuh | 0.00 | — | 4.8.0 | 15–30 | Security |
| 211 | bitnami/jenkins | bitnami | 0.00 | — | 2.461 | 50–100 | CI/CD |
| 212 | bitnami/prometheus | bitnami | 0.00 | — | 2.52.0 | 10–20 | Observability |
| 213 | goharbor/harbor-core | goharbor | 0.00 | — | v2.11.0 | 10–20 | Infrastructure |
| 214 | goharbor/registry-photon | goharbor | 0.00 | — | v2.11.0 | 10–20 | Infrastructure |
| 215 | bitnami/nats | bitnami | 0.00 | — | 2.10.17 | 5–15 | Messaging |
| 216 | redpandadata/console | redpandadata | 0.00 | — | v2.6.0 | 5–15 | Data Streaming |
| 217 | otel/opentelemetry-collector-contrib | otel | 0.00 | — | 0.101.0 | 10–20 | Observability |
| 218 | grafana/alloy | grafana | 0.00 | — | v1.2.0 | 5–15 | Observability |
| 219 | apache/activemq-classic | apache | 0.00 | — | 6.1.2 | 20–40 | Messaging |
| 220 | hivemq/hivemq4 | hivemq | 0.00 | — | 4.29.0 | 10–20 | Messaging |
| 221 | openebs/provisioner-localpv | openebs | 0.00 | — | 4.1.0 | 5–15 | Storage |
| 222 | longhorn/longhorn-manager | longhorn | 0.00 | — | v1.6.2 | 10–20 | Storage |
| 223 | minio/mc | minio | 0.00 | — | latest | 5–15 | Storage |
| 224 | dask/dask | dask | 0.00 | — | 2024.5.0 | 15–30 | ML/AI |
| 225 | ray-project/ray | ray-project | 0.00 | — | 2.30.0 | 15–30 | ML/AI |
| 226 | bentoml/bento-server | bentoml | 0.00 | — | 1.2.19 | 10–20 | ML/AI |
| 227 | getdbt/dbt-core | getdbt | 0.00 | — | 1.8.3 | 10–20 | Data |
| 228 | trinodb/trino | trinodb | 0.00 | — | 447 | 15–30 | Data SQL |
| 229 | prestodb/presto | prestodb | 0.00 | — | 0.288 | 15–30 | Data SQL |
| 230 | apache/hbase | apache | 0.00 | — | 2.5.9 | 25–50 | Database |
| 231 | m3db/m3dbnode | m3db | 0.00 | — | latest | 10–20 | Observability |
| 232 | cortexproject/cortex | cortexproject | 0.00 | — | v1.17.1 | 10–20 | Observability |
| 233 | longhorn/longhorn-engine | longhorn | 0.00 | — | v1.6.2 | 10–20 | Storage |
| 234 | rook/ceph | rook | 0.00 | — | v1.14.6 | 15–30 | Storage |
| 235 | seaweedfs/seaweedfs | seaweedfs | 0.00 | — | 3.65 | 10–20 | Storage |
| 236 | democratic-csi/democratic-csi | democratic-csi | 0.00 | — | latest | 5–15 | Storage |
| 237 | ceph/ceph | ceph | 0.00 | — | v18 | 15–30 | Storage |
| 238 | bitnami/metrics-server | bitnami | 0.00 | — | 0.7.1 | 10–20 | Infrastructure |
| 239 | bitnami/external-dns | bitnami | 0.00 | — | 0.14.2 | 10–20 | Infrastructure |
| 240 | bitnami/kube-state-metrics | bitnami | 0.00 | — | 2.12.0 | 10–20 | Observability |
| 241 | calico/kube-controllers | calico | 0.00 | — | v3.28.0 | 10–20 | Networking |
| 242 | bitnami/envoy | bitnami | 0.00 | — | 1.30.1 | 15–30 | Proxy |
| 243 | bitnami/oauth2-proxy | bitnami | 0.00 | — | 7.6.0 | 10–20 | Auth |
| 244 | bitnami/tomcat | bitnami | 0.00 | — | 10.1 | 25–50 | Web Server |
| 245 | bitnami/wildfly | bitnami | 0.00 | — | 32.0 | 30–60 | Web Server |
| 246 | bitnami/memcached | bitnami | 0.00 | — | 1.6.27 | 20–40 | Cache |
| 247 | bitnami/haproxy | bitnami | 0.00 | — | 3.0.0 | 15–30 | Proxy |
| 248 | bitnami/rabbitmq | bitnami | 0.00 | — | 3.13.3 | 20–40 | Messaging |
| 249 | bitnami/redis-exporter | bitnami | 0.00 | — | 1.61.0 | 5–15 | Observability |
| 250 | bitnami/postgres-exporter | bitnami | 0.00 | — | 0.15.0 | 5–15 | Observability |
| 251 | bitnami/mongodb-exporter | bitnami | 0.00 | — | 0.40.0 | 5–15 | Observability |
| 252 | bitnami/kafka-exporter | bitnami | 0.00 | — | 1.7.0 | 5–15 | Observability |
| 253 | bitnami/node-exporter | bitnami | 0.00 | — | 1.8.0 | 5–15 | Observability |
| 254 | grafana/oncall | grafana | 0.00 | — | v1.10.0 | 10–20 | Observability |
| 255 | bitnami/cert-manager | bitnami | 0.00 | — | 1.14.5 | 10–20 | Security |
| 256 | bitnami/contour | bitnami | 0.00 | — | 1.29.1 | 10–20 | Web Server |
| 257 | jaegertracing/jaeger-query | jaegertracing | 0.00 | — | 1.57 | 10–20 | Observability |
| 258 | openebs/jiva-csi | openebs | 0.00 | — | 3.6.0 | 5–15 | Storage |
| 259 | nfs-subdir-external-provisioner/nfs-subdir-external-provisioner | nfs-subdir-external-provisioner | 0.00 | — | v4.0.18 | 10–20 | Storage |
| 260 | confluentinc/cp-kafka-connect | confluentinc | 0.00 | — | 7.6.1 | 20–40 | Data Streaming |
| 261 | confluentinc/cp-ksqldb-server | confluentinc | 0.00 | — | 7.6.1 | 20–40 | Data Streaming |
| 262 | apache/activemq-artemis | apache | 0.00 | — | 2.33.0 | 20–40 | Messaging |
| 263 | bitnami/harbor-core | bitnami | 0.00 | — | 2.11.0 | 10–20 | Infrastructure |
| 264 | bitnami/harbor-registry | bitnami | 0.00 | — | 2.11.0 | 10–20 | Infrastructure |
| 265 | bitnami/harbor-portal | bitnami | 0.00 | — | 2.11.0 | 10–20 | Infrastructure |
| 266 | bitnami/harbor-jobservice | bitnami | 0.00 | — | 2.11.0 | 10–20 | Infrastructure |
| 267 | bitnami/harbor-trivy-adapter | bitnami | 0.00 | — | 2.11.0 | 10–20 | Security |
| 268 | fluxcd/notification-controller | fluxcd | 0.00 | — | v1.3.0 | 5–15 | CI/CD |
| 269 | fluxcd/image-reflector-controller | fluxcd | 0.00 | — | v0.31.2 | 5–15 | CI/CD |
| 270 | fluxcd/image-automation-controller | fluxcd | 0.00 | — | v0.38.0 | 5–15 | CI/CD |
| 271 | argoproj/argoexec | argoproj | 0.00 | — | v3.5.6 | 10–20 | CI/CD |
| 272 | victoriametrics/vminsert | victoriametrics | 0.00 | — | v1.101.0 | 5–15 | Observability |
| 273 | victoriametrics/vmselect | victoriametrics | 0.00 | — | v1.101.0 | 5–15 | Observability |
| 274 | victoriametrics/vmstorage | victoriametrics | 0.00 | — | v1.101.0 | 5–15 | Observability |
| 275 | victoriametrics/vmalert | victoriametrics | 0.00 | — | v1.101.0 | 5–15 | Observability |
| 276 | weaveworks/weave-npc | weaveworks | 0.00 | — | 2.8.1 | 10–20 | Networking |
| 277 | cilium/operator-generic | cilium | 0.00 | — | v1.15.5 | 5–15 | Networking |
| 278 | cilium/hubble-ui | cilium | 0.00 | — | v0.13.0 | 5–15 | Networking |
| 279 | metallb/controller | metallb | 0.00 | — | v0.14.5 | 5–15 | Networking |
| 280 | metallb/speaker | metallb | 0.00 | — | v0.14.5 | 5–15 | Networking |
| 281 | flannelproject/flannel | flannelproject | 0.00 | — | v0.25.1 | 5–15 | Networking |
| 282 | calico/typha | calico | 0.00 | — | v3.28.0 | 5–15 | Networking |
| 283 | linkerd/destination | linkerd | 0.00 | — | stable-2.15.0 | 5–15 | Service Mesh |
| 284 | linkerd/identity | linkerd | 0.00 | — | stable-2.15.0 | 5–15 | Service Mesh |
| 285 | linkerd/proxy-injector | linkerd | 0.00 | — | stable-2.15.0 | 5–15 | Service Mesh |
| 286 | openpolicyagent/gatekeeper | openpolicyagent | 0.00 | — | v3.16.3 | 5–15 | Policy |
| 287 | kyverno/kyverno | kyverno | 0.00 | — | v1.12.3 | 10–20 | Policy |
| 288 | bitnami/argo-cd | bitnami | 0.00 | — | 2.11.0 | 10–20 | CI/CD |
| 289 | hadolint/hadolint | hadolint | 0.00 | — | v2.12.0 | 5–15 | Dev Tools |
| 290 | wagoodman/dive | wagoodman | 0.00 | — | v0.12.0 | 5–15 | Dev Tools |
| 291 | bitnami/loki | bitnami | 0.00 | — | 3.0.0 | 10–20 | Observability |
| 292 | bitnami/tempo | bitnami | 0.00 | — | 2.4.3 | 10–20 | Observability |
| 293 | bitnami/minio | bitnami | 0.00 | — | latest | 10–20 | Storage |
| 294 | bitnami/clickhouse | bitnami | 0.00 | — | 24.4 | 15–30 | Database |
| 295 | bitnami/cockroachdb | bitnami | 0.00 | — | 24.1 | 15–30 | Database |
| 296 | bitnami/cassandra | bitnami | 0.00 | — | 4.1 | 25–50 | Database |
| 297 | bitnami/couchdb | bitnami | 0.00 | — | 3.3 | 20–40 | Database |
| 298 | bitnami/solr | bitnami | 0.00 | — | 9.6 | 15–30 | Search |
| 299 | bitnami/opensearch | bitnami | 0.00 | — | 2.14 | 20–40 | Search |
| 300 | opensearchproject/opensearch-dashboards | opensearchproject | 0.00 | — | 2.14.0 | 25–50 | Observability |
| 301 | bitnami/nifi | bitnami | 0.00 | — | 2.0.0 | 20–40 | Data Integration |
| 302 | bitnami/airflow-worker | bitnami | 0.00 | — | 2.9.1 | 15–30 | Workflow |
| 303 | bitnami/airflow-scheduler | bitnami | 0.00 | — | 2.9.1 | 15–30 | Workflow |
| 304 | bitnami/spark-worker | bitnami | 0.00 | — | 3.5.1 | 20–40 | Data Processing |
| 305 | bitnami/flink | bitnami | 0.00 | — | 1.20 | 20–40 | Data Processing |
| 306 | bitnami/druid | bitnami | 0.00 | — | 30.0.0 | 20–40 | Data Analytics |
| 307 | gocd/gocd-server | gocd | 0.00 | — | v24.2.0 | 20–40 | CI/CD |
| 308 | linuxserver/sonarr | linuxserver | 0.00 | — | latest | 20–40 | Media |
| 309 | linuxserver/plex | linuxserver | 0.00 | — | latest | 20–40 | Media |
| 310 | linuxserver/radarr | linuxserver | 0.00 | — | latest | 20–40 | Media |
| 311 | linuxserver/jellyfin | linuxserver | 0.00 | — | latest | 20–40 | Media |
| 312 | jupyter/datascience-notebook | jupyter | 0.00 | — | latest | 40–70 | ML/AI |
| 313 | kserve/kfserving | kserve | 0.00 | — | v0.13.0 | 10–20 | ML/AI |
| 314 | apache/zeppelin | apache | 0.00 | — | 0.11.1 | 20–40 | Data ML |
| 315 | dremio/dremio-oss | dremio | 0.00 | — | 25.1 | 20–40 | Data SQL |
| 316 | apache/hudi | apache | 0.00 | — | 1.0.0 | 20–40 | Data |
| 317 | bitnami/superset | bitnami | 0.00 | — | 4.0.2 | 20–40 | Data BI |
| 318 | bitnami/mlflow | bitnami | 0.00 | — | 2.13.0 | 10–25 | ML/AI |
| 319 | linuxserver/wireguard | linuxserver | 0.00 | — | latest | 10–20 | Networking |
| 320 | linuxserver/nextcloud | linuxserver | 0.00 | — | latest | 40–70 | Storage |
| 321 | bitnami/wordpress | bitnami | 0.00 | — | 6.5 | 40–80 | CMS |
| 322 | ghost | library | 0.00 | — | 5.82 | 30–60 | CMS |
| 323 | nextcloud | library | 0.00 | — | 29 | 40–80 | Storage |
| 324 | mediawiki | library | 0.00 | — | 1.42 | 30–60 | CMS |
| 325 | drupal | library | 0.00 | — | 10.3 | 40–80 | CMS |
| 326 | joomla | library | 0.00 | — | 5.1 | 40–80 | CMS |
| 327 | mattermost/mattermost-team-edition | mattermost | 0.00 | — | 9.9.0 | 20–40 | Communication |
| 328 | rocketchat/rocket.chat | rocketchat | 0.00 | — | 6.9.0 | 30–60 | Communication |
| 329 | bitnami/git | bitnami | 0.00 | — | 2.45.2 | 5–15 | Dev Tools |
| 330 | bitnami/kubectl | bitnami | 0.00 | — | 1.30.1 | 5–10 | Infrastructure |
| 331 | bitnami/helm | bitnami | 0.00 | — | 3.15.1 | 5–10 | Infrastructure |
| 332 | alpine/helm | alpine | 0.00 | — | 3.15.1 | 5–10 | Infrastructure |
| 333 | alpine/git | alpine | 0.00 | — | latest | 5–10 | Dev Tools |
| 334 | amazon/dynamodb-local | amazon | 0.00 | — | latest | 5–15 | Database |
| 335 | bitnami/aws-cli | bitnami | 0.00 | — | 2.15.0 | 5–15 | Infrastructure |
| 336 | google/cloud-sdk | 0.00 | — | latest | 10–20 | Infrastructure | |
| 337 | certbot/certbot | certbot | 0.00 | — | v2.11.0 | 5–15 | Security |
| 338 | zaproxy/zap-stable | zaproxy | 0.00 | — | latest | 20–40 | Security |
| 339 | snyk/snyk | snyk | 0.00 | — | alpine | 5–15 | Security |
| 340 | aquasec/kube-bench | aquasec | 0.00 | — | v0.8.0 | 5–15 | Security |
| 341 | fairwinds/polaris | fairwinds | 0.00 | — | 9.3.0 | 5–15 | Security |
| 342 | falcosecurity/falco-driver-loader | falcosecurity | 0.00 | — | 0.38.0 | 5–15 | Security |
| 343 | hashicorp/packer | hashicorp | 0.00 | — | 1.11.1 | 5–15 | Infrastructure |
| 344 | hashicorp/boundary | hashicorp | 0.00 | — | 0.16.2 | 5–15 | Security |
| 345 | docker/buildx | docker | 0.00 | — | v0.14.1 | 5–10 | Infrastructure |
| 346 | gradle | library | 0.00 | — | 8.8-jdk21 | 10–20 | Build Tools |
| 347 | maven | library | 0.00 | — | 3.9-eclipse-temurin-21 | 20–40 | Build Tools |
| 348 | amazoncorretto | library | 0.00 | — | 21 | 15–30 | Runtime |
| 349 | adoptopenjdk | library | 0.00 | — | 21 | 20–40 | Runtime |
| 350 | clojure | library | 0.00 | — | temurin-21-tools-deps | 20–40 | Runtime |
| 351 | groovy | library | 0.00 | — | 4.0-jdk21 | 20–40 | Runtime |
| 352 | scala | library | 0.00 | — | 3.4-eclipse-temurin-21 | 20–40 | Runtime |
| 353 | bitnami/redis-cluster | bitnami | 0.00 | — | 7.4 | 15–30 | Cache |
| 354 | bitnami/mariadb-galera | bitnami | 0.00 | — | 11.4 | 30–60 | Database |
| 355 | bitnami/postgresql-repmgr | bitnami | 0.00 | — | 16 | 40–80 | Database |
| 356 | bitnami/pgpool | bitnami | 0.00 | — | 4.5.2 | 20–40 | Database |
| 357 | bitnami/pgbouncer | bitnami | 0.00 | — | 1.23.0 | 10–20 | Database |
| 358 | bitnami/patroni | bitnami | 0.00 | — | 3.3.0 | 10–20 | Database |
| 359 | bitnami/influxdb | bitnami | 0.00 | — | 2.7 | 10–20 | Database |
| 360 | bitnami/telegraf | bitnami | 0.00 | — | 1.30 | 10–20 | Observability |
| 361 | hivemq/hivemq-community-edition | hivemq | 0.00 | — | latest | 10–20 | Messaging |
| 362 | vernemq/vernemq | vernemq | 0.00 | — | latest | 15–30 | Messaging |
| 363 | julia | library | 0.00 | — | 1.10 | 10–20 | Runtime |
| 364 | mono | library | 0.00 | — | 6.12 | 20–40 | Runtime |
| 365 | ubuntu/nginx | ubuntu | 0.00 | — | latest | 15–30 | Web Server |
| 366 | ubuntu/apache2 | ubuntu | 0.00 | — | latest | 25–50 | Web Server |
| 367 | ubuntu/mysql | ubuntu | 0.00 | — | latest | 30–60 | Database |
| 368 | ubuntu/postgres | ubuntu | 0.00 | — | latest | 30–60 | Database |
| 369 | ubuntu/redis | ubuntu | 0.00 | — | latest | 15–25 | Cache |
| 370 | ubuntu/prometheus | ubuntu | 0.00 | — | latest | 10–20 | Observability |
| 371 | ubuntu/bind9 | ubuntu | 0.00 | — | latest | 15–30 | Infrastructure |
| 372 | almalinux | library | 0.00 | — | 9 | 10–20 | Base OS |
| 373 | rockylinux/rockylinux | rockylinux | 0.00 | — | 9 | 10–20 | Base OS |
| 374 | oraclelinux | library | 0.00 | — | 9 | 10–20 | Base OS |
| 375 | opensuse/leap | opensuse | 0.00 | — | 15.6 | 10–20 | Base OS |
| 376 | clearlinux | library | 0.00 | — | latest | 5–15 | Base OS |
| 377 | kong/kubernetes-ingress-controller | kong | 0.00 | — | 3.2 | 10–20 | API Gateway |
| 378 | supabase/postgres | supabase | 0.00 | — | 15 | 30–60 | Database |
| 379 | hasura/graphql-engine | hasura | 0.00 | — | v2.40.0 | 15–30 | Data API |
| 380 | postgrest/postgrest | postgrest | 0.00 | — | v12.0.2 | 5–15 | Data API |
| 381 | jfrog/artifactory-oss | jfrog | 0.00 | — | latest | 30–60 | Artifact Repository |
| 382 | jetbrains/teamcity-server | jetbrains | 0.00 | — | latest | 30–60 | CI/CD |
| 383 | bitnami/prestashop | bitnami | 0.00 | — | 9 | 40–80 | E-Commerce |
| 384 | bitnami/magento | bitnami | 0.00 | — | 2.4 | 40–80 | E-Commerce |
Pull count note: Service mesh (Istio) and observability (Fluent Bit, Datadog) dominate raw pulls due to per-pod sidecar injection and per-node DaemonSet deployment — pull count reflects cardinality of deployment, not developer community size.
Stars note: Stars are a strong proxy for active developer choice. The pull/star divergence for images like memcached (13.1B pulls, 2,439 stars) signals automated/CI usage rather than conscious adoption. High-star images — nginx, ubuntu, mysql, postgres, node, python — are the highest-value marketing and product targets.
CVE note: CVE counts are approximate ranges for the latest stable tag per public scanner data (Snyk/Trivy/Grype) as of April 2026. Alpine-based tags carry significantly fewer CVEs than Debian-based equivalents of the same image. Ranges reflect variation across minor versions and scan cadence differences between tools.
2. Category Breakdown
2.1 Base OS (47+ billion pulls combined)
The foundation layer. Every image in every other category is derived from one of these.
| Image | Pulls (B) | Stars | Risk | Notes |
|---|---|---|---|---|
| busybox | 12.5 | — | Low | Init container, debug tooling |
| alpine | 11.8 | 11,488 | Very Low | De facto minimal base; musl libc |
| ubuntu | 9.8 | 17,805 | Medium | Most familiar Linux; LTS cadence |
| debian | 1.6 | — | Medium | Parent of most official images |
| amazonlinux | 0.84 | — | Medium | AWS-native; RHEL-derived |
Pull volume driver: Alpine and busybox dominate because they are used as base images by other
images, compounding their pulls through the entire Docker Hub graph. Every image that FROM alpine
or FROM busybox increases their pull counts with every build.
Market note: Chainguard’s Wolfi OS is not on Docker Hub in library form but competes directly with Alpine for the minimal-base-OS market. Docker Hardened Images (DHI) went Apache 2.0 in December 2025, covering 1,000+ images including Alpine and Ubuntu variants.
2.2 Language Runtimes (23+ billion pulls combined)
The images your application code actually runs in. Highest CVE density of any category due to Debian base inheritance.
| Image | Pulls (B) | Stars | Est. CVEs | Base | Notes |
|---|---|---|---|---|---|
| python | 8.6 | 10,405 | 150–250 | Debian | AI/ML dominant; multi-stage anti-patterns common |
| node | 6.3 | 14,147 | 25–80 | Debian | JS/TS backends; npm supply chain risk |
| openjdk | 2.6 | 4,115 | 80–150 | Debian | Deprecated; eclipse-temurin replacement |
| golang | 2.5 | 5,111 | 40–80 | Debian (build) | Go binaries run distroless; build image CVEs |
| ruby | 1.5 | 2,403 | 80–150 | Debian | Rails ecosystem; significant legacy |
| php | 1.3 | 7,837 | 100–200 | Debian | Highest CVE/pull ratio; massive legacy |
| eclipse-temurin | 0.85 | — | 30–60 | Ubuntu/Alpine | Modern Java replacement for openjdk |
| rust | 0.65 | — | 10–30 | Debian (build) | Build-only; Rust binaries are safe at runtime |
Key CVE driver: Approximately 70–90% of CVEs in language runtime images come from the Debian base layer, not from the language runtime itself. Chainguard’s Wolfi-based images show 0 CVEs for the same Python/Node/Java runtimes. The CVE is in the packaging choice, not the software.
2.3 Databases (55+ billion pulls combined)
Highest-consequence category. Persistent data + broad network access + slow patching cycles = elevated real-world risk.
| Image | Pulls (B) | Stars | Est. CVEs | Tier | Notes |
|---|---|---|---|---|---|
| memcached | 13.1 | 2,439 | 50–80 | Registered | High pulls, low star ratio = CI/automation usage |
| redis | 10.5 | 13,552 | 15–25 (alpine) | Free | Alpine variant significantly cleaner |
| postgres | 10.5 | 14,863 | 50–120 | Free | Default cloud-native DB; Debian base |
| mysql | 4.9 | 16,104 | 40–60 | Free | Most recognised DB brand |
| bitnami/postgresql | 3.8 | — | 40–80 | — | Bitnami variant; different CVE surface |
| mongo | 4.7 | 10,714 | 30–60 | Registered | NoSQL; licensing concerns |
| rabbitmq | 3.8 | 5,352 | 20–40 | Registered | OSS message broker |
| bitnami/redis | 3.3 | — | 30–60 | — | Bitnami packaging differences |
| mariadb | 3.1 | 6,088 | 40–80 | Registered | MySQL-compatible; similar CVE profile |
| bitnami/mongodb | 1.7 | — | 40–80 | — | — |
| elasticsearch | 0.95 | 6,591 | 30–50 | Registered | Elastic licensing changes; JVM base |
Bitnami effect: Bitnami packages popular software with additional configuration tooling, producing images with a different (often larger) package footprint. Bitnami images often carry more CVEs than the equivalent library images and are heavily used in Helm chart deployments. The bitnami/postgresql and bitnami/redis images together add ~7 billion pulls that represent a separate and largely unaddressed attack surface.
2.4 Web Servers and Proxies (29+ billion pulls combined)
Internet-facing by design. Highest exploitation risk of any category — CVEs are directly reachable from the open internet.
| Image | Pulls (B) | Stars | Est. CVEs | Risk | Notes |
|---|---|---|---|---|---|
| nginx | 12.9 | 21,238 | 60–90 | Critical | TLS termination; internet-facing |
| envoyproxy/envoy | 5.7 | — | 20–40 | High | Service mesh data plane |
| httpd (Apache) | 4.7 | 4,927 | 40–70 | Critical | Legacy; consistent HTTP CVEs |
| traefik | 3.5 | 3,610 | 10–25 | Medium | Go binary; smaller dep tree |
| nginxinc/nginx-unprivileged | 1.2 | — | Lower | Medium | Rootless nginx |
| haproxy | 1.1 | 2,012 | 15–30 | Medium | Minimal C footprint; proven |
| nginx/nginx-ingress | 1.1 | — | 25–50 | High | k8s ingress controller CVEs |
| caddy | 0.7 | — | 5–15 | Low | Pure Go; near-zero CVE base |
| tomcat | 0.81 | 3,765 | 30–50 | Medium | Java servlet; enterprise |
Exploitation risk note: nginx and httpd are internet-facing in virtually every deployment. A CVE in nginx’s HTTP/2 implementation (like the Rapid Reset attack CVE-2023-44487) is exploitable by anyone who can send an HTTP request to the endpoint. This is categorically different from a database CVE that requires internal network access.
2.5 Observability (~60 billion pulls combined)
The highest pull-count category by far. Dominated by infrastructure images with privileged deployment patterns — DaemonSets and sidecars on every node and pod.
| Image | Pulls (B) | Stars | Est. CVEs | Deployment | Notes |
|---|---|---|---|---|---|
| fluent/fluent-bit | 15.2 | — | 15–30 | DaemonSet | Default k8s log forwarder |
| datadog/agent | 11.2 | — | 30–60 | DaemonSet | Docker socket, host metrics |
| grafana/grafana | 5.2 | 3,526 | 15–35 | Deployment | Standard dashboard |
| grafana/loki | 4.7 | — | 10–25 | Deployment | Log aggregation |
| timberio/vector | 4.1 | — | 10–20 | DaemonSet/sidecar | Rust-based; low CVE |
| grafana/promtail | 2.5 | — | 5–15 | DaemonSet | Log shipping |
| google/cadvisor | 2.1 | — | 5–15 | DaemonSet | Container metrics |
| prom/prometheus | 1.95 | 2,058 | 5–20 | Deployment | Metrics collection |
Privileged access note: DaemonSet observability agents typically have access to host log files, the container runtime socket (Docker or containerd), and host network/process namespaces. A compromised fluent-bit or datadog-agent is not a compromised container; it is a compromised node. This is why supply chain provenance for these images is critical — they have the access profile of a system daemon.
2.6 Service Mesh (~31 billion pulls combined)
Pull count reflects per-pod sidecar injection multiplier, not absolute deployment size.
| Image | Pulls (B) | Est. CVEs | Role | Notes |
|---|---|---|---|---|
| istio/proxyv2 | 12.2 | 20–40 | Data plane sidecar | Injected into every pod |
| istio/pilot | 12.0 | 20–40 | Control plane | Routes config to all proxies |
| istio/operator | 6.2 | 15–30 | Cluster operator | Manages Istio lifecycle |
| envoyproxy/envoy | 5.7 | 20–40 | Standalone proxy | Also basis for proxyv2 |
| nginx/nginx-ingress | 1.1 | 25–50 | Ingress controller | Historical annotation CVEs |
Compromise impact: The service mesh data plane terminates and re-establishes mTLS for every inter-service call. Compromise of a proxyv2 sidecar means the ability to read all traffic flowing to/from that pod — including content that mTLS was protecting. Control-plane compromise (istiod) means cluster-wide traffic manipulation capability.
2.7 CI/CD (~8+ billion pulls combined)
Keys to the kingdom. CI/CD containers hold source code, deployment credentials, cloud provider tokens, and the ability to publish artefacts to production.
| Image | Pulls (B) | Est. CVEs | Risk | Notes |
|---|---|---|---|---|
| jenkins/jenkins | 4.9 | 80–150 | Critical | Plugin ecosystem; persistent credentials |
| jenkins | 0.71 | 80–150 | Critical | Official alias; same image |
| sonarqube | 1.2 | 50–80 | High | Code scanning; has production access |
| gitlab-runner | ~0.8 | 40–70 | High | GitLab CI job executor |
Supply chain threat model: Compromising CI/CD is the attacker’s preferred vector for supply chain attacks (SolarWinds, 3CX, XZ Utils). A Jenkins instance with a plugin CVE that allows unauthenticated RCE is not a compromised server; it is the ability to inject malicious code into every artefact the organisation ships. CVE patching cadence in CI/CD images is therefore not a “nice to have” — it is a direct defence against supply chain attacks.
2.8 Secret Management (~1.6 billion pulls combined)
Low pull count, high enterprise value. HashiCorp’s BSL licensing shift has created market uncertainty and potential opportunities.
| Image | Pulls (B) | Stars | Est. CVEs | Notes |
|---|---|---|---|---|
| consul | 1.05 | 1,458 | 5–15 | Service discovery + light KV |
| vault | 0.55 | 1,176 | 5–15 | Secrets manager; BSL post-2.0 |
Licensing note: HashiCorp switched Vault and Consul from MPL to Business Source License (BSL) in 2023. The OpenBao fork (community continuation of Vault) is gaining traction. BSL concerns reduce free-tier appeal of the official vault image; registered tier placement reflects this.
2.9 Messaging (~3.8 billion pulls)
| Image | Pulls (B) | Stars | Est. CVEs | Notes |
|---|---|---|---|---|
| rabbitmq | 3.8 | 5,352 | 20–40 | Dominant OSS broker; Erlang base |
Erlang/OTP note: rabbitmq runs on the Erlang runtime. Its CVE surface is partially distinct from the typical Debian/glibc pattern. Erlang CVEs tend to be lower frequency but the image carries Debian OS-layer CVEs in addition to Erlang runtime exposure.
3. CVE Landscape by Category
3.1 Summary Table
| Category | Typical CVE Range | Severity Skew | Primary Driver | Hardened Reduction |
|---|---|---|---|---|
| Base OS (Alpine) | 0–5 | Low | Minimal package set | Near-zero achievable |
| Base OS (Debian/Ubuntu) | 8–50 | Low–Med | Package footprint | 70–90% via Alpine |
| Language Runtimes | 25–250 | Med–Critical | Debian base inheritance | 90–100% via Wolfi/distroless |
| Databases | 15–120 | Med–Critical | Debian base + DB engine | 60–80% achievable |
| Web Servers (nginx/httpd) | 40–90 | High–Critical | C binary + OpenSSL + Debian | 50–70% via Alpine base |
| Web Servers (Go-based) | 5–25 | Low–Med | Minimal Go binary | Low baseline already |
| Observability | 5–60 | Low–Med | OS layer mostly | 40–60% via base change |
| Service Mesh | 15–40 | Med–High | C++ (Envoy) + Debian | 40–60% achievable |
| CI/CD | 40–150 | High–Critical | Java/plugin ecosystem | 40–60% achievable |
| Secret Management | 5–15 | Low–Med | Minimal Go binary | Low baseline already |
| Messaging | 20–40 | Med | Erlang + Debian | 50–70% achievable |
3.2 Common Vulnerability Patterns
Pattern 1: The Debian Multiplier
Debian-based official images ship with ~8–20 system packages that are present at runtime but never
used by the application: perl, libgcc, gcc-12-base, binutils, libcurl, libssl. These
packages collectively account for 60–80% of CVEs in Debian-based images. Removing them through
distroless or Alpine base migration produces 70–90% CVE reduction without changing the application.
Pattern 2: OpenSSL Inheritance OpenSSL CVEs affect every image that links against libssl — nginx (TLS termination), curl (HTTP clients), Python (requests library), Node.js (tls module), and dozens more. A single OpenSSL CVE can affect hundreds of official images simultaneously. The Heartbleed class of vulnerability (memory disclosure in TLS handshake) is directly exploitable via internet-facing services.
Pattern 3: Build Dependency Leakage
Multi-stage builds are the solution; they are not universally applied. Images that install
build dependencies (gcc, make, python3-dev, libpq-dev) in the same stage as the runtime
often leave those tools in the final image. Build tools carry their own CVE surface and provide
attackers with compilation capabilities if the container is compromised.
Pattern 4: Version Staleness Delta The gap between when a CVE is patched upstream and when the Docker official image picks up the fix ranges from days to months. Base image rebuild cadence is the single largest controllable variable in an organisation’s container CVE posture. CascadeGuard’s event-driven rebuild architecture directly addresses this variable.
Pattern 5: Plugin/Extension Surface (CI/CD) Jenkins, Grafana, and similar extensible platforms have a secondary CVE surface in their plugin ecosystems. Jenkins publishes security advisories weekly. Grafana plugin vulnerabilities are distinct from the core Grafana image CVEs. Standard image scanning tools see the core image; they do not enumerate plugin-level risk.
4. Market Gaps and Opportunities
4.1 The Lifecycle Loop Gap (Core CascadeGuard Thesis)
The gap: Every competitor is either a scanner (finds CVEs) or an enterprise platform (expensive, complex, enterprise-gated). Nobody automates the full loop: CVE detected → rebuild triggered → image signed → GitOps deployment updated → verification confirmed.
Who leaves this open:
- Docker Scout: scanning only; no rebuild automation
- Chainguard: hardened images as product; no automation for your custom images
- Anchore/Grype: scanning + SBOM; no lifecycle orchestration
- Renovate Bot: updates Dockerfile references; no rebuild, no signing, no GitOps integration
The opportunity: Platform engineers who run Kubernetes and manage custom base images for app teams are underserved. They know their images are stale; they lack automation. CascadeGuard is the only open-source tool that closes this loop in a GitOps-native way.
4.2 The Bitnami Gap
Bitnami images (bitnami/postgresql 3.8B, bitnami/redis 3.3B, bitnami/mongodb 1.7B) collectively account for 8.8 billion pulls. These images are widely used in Helm chart deployments but are significantly under-covered by the hardened images market. Chainguard covers some Bitnami equivalents; nobody covers the full Bitnami catalog.
Opportunity: Content targeting Bitnami users who want to understand the CVE posture of their Helm-deployed workloads, and eventually, Bitnami-compatible hardened variants.
4.3 Observability Infrastructure Security (Overlooked Category)
Fluent Bit (15.2B), Datadog (11.2B), Grafana (5.2B) collectively account for ~31 billion pulls. Security content about these images is almost non-existent — the focus is always on application images and databases. Yet these images run with host-level privileges on every node.
Opportunity: CascadeGuard owns the thought leadership position for observability infrastructure security. Article 006 (State of the Union: Observability) is differentiated content in an uncrowded space. Expanding this to a dedicated guide category can drive SEO traffic from DevOps and SRE audiences who are underserved by existing security content.
4.4 Service Mesh Supply Chain (Emerging Gap)
Istio proxyv2 (12.2B pulls) and pilot (12.0B) are among the most-pulled images on Docker Hub, yet the security community rarely discusses them from a supply chain perspective. The focus is on runtime security (mTLS configuration, policy enforcement) — not on the provenance and CVE posture of the mesh images themselves.
Opportunity: CascadeGuard can own the “service mesh supply chain” positioning. The threat model is compelling and distinct: a compromised sidecar has access to all inter-service traffic, not just the pod it’s co-located with.
4.5 Hardened Images for Registered/Premium Tier
The competitive landscape has an unserved middle:
- Free tier: Docker official images (no hardening)
- Enterprise tier: Chainguard images ($$$; enterprise contracts; Wolfi-only)
- Missing: Hardened, openly-published images for the 99/month self-service segment
CascadeGuard’s free and registered tiers fill this gap. The 25 images in images.yaml are
strategically chosen to cover the highest-pull, highest-community-interest image categories with
hardened equivalents that are immediately usable without a sales call.
4.6 Competitive Differentiation vs Chainguard
Chainguard is the most directly analogous product in the hardened images space. Key differences:
| Dimension | Chainguard | CascadeGuard |
|---|---|---|
| Image base | Wolfi OS (purpose-built) | Alpine + distroless |
| Update cadence | 4-hour upstream sync | Event-driven (CVE SLA) |
| Pricing | Enterprise contracts for production | Free (10 managed) + freemium |
| Custom images | Not addressed | Core product (your Dockerfiles) |
| GitOps integration | None | ArgoCD + Kargo native |
| SBOM + signing | Yes (Cosign) | Yes (Syft + Cosign) |
| Open source | Partial (some tools; images proprietary) | Full open source |
| Target buyer | Enterprise security team | Platform engineer, DevSecOps |
Key message: Chainguard sells you their images. CascadeGuard helps you maintain your images. The two products are complementary at the image layer (use Chainguard base → rebuild via CascadeGuard) and competitive at the lifecycle layer. Our primary win condition is the platform engineers who cannot use Chainguard because they manage custom images, or who cannot afford Chainguard’s enterprise pricing.
5. Tier Placement Rationale
5.1 Free Tier (10 Managed Images)
Selection criteria: highest pull counts + highest star counts + broadest developer recognition. These are the images that will drive awareness, GitHub stars, and developer trust in CascadeGuard’s hardened builds.
| Image | Tier | Rationale |
|---|---|---|
| nginx | Free | #1 most pulled; #1 most starred. Maximum visibility. |
| alpine | Free | Universal minimal base OS. Hardening alpine = table-stakes for CascadeGuard brand. |
| ubuntu | Free | Most recognised Linux distro. Enterprise standard base. |
| python | Free | AI/ML dominant runtime. 8.6B pulls. Massive audience. |
| postgres | Free | Default cloud-native DB. 10.5B pulls. |
| redis | Free | Ubiquitous cache. redis:alpine already minimal; hardened adds value. |
| node | Free | JS/TS backend standard. 6.3B pulls. |
| mysql | Free | Most recognised database brand. |
| golang | Free | Growing CI build standard. golang:alpine is the Go CI image. |
| openjdk | Free | Enterprise Java. openjdk:21 LTS is current target. |
Positioning: The free tier is our developer trust signal. These are the images every platform engineer recognises. Making them hardened, signed, and publicly available at no cost drives:
- GitHub star acquisition
- Blog traffic via dashboard + badge embeds
- Developer word-of-mouth (sharing the hardened image URL with their team)
5.2 Registered Tier (15 Upstream-Tracked Images)
Selection criteria: meaningful pull counts and community interest, but either (a) complexity in hardening justifies gatekeeping, (b) commercial licensing concerns, or (c) lower absolute developer community size relative to free tier.
| Image | Tier | Rationale |
|---|---|---|
| memcached | Registered | 13.1B pulls but only 2,439 stars — automated pulls vs human choice. |
| httpd | Registered | Apache legacy; good comparison to nginx; lower active developer interest. |
| mongo | Registered | Popular NoSQL but commercial licensing concerns (SSPL). |
| rabbitmq | Registered | Dominant OSS broker; Erlang complexity; smaller community than DBs. |
| traefik | Registered | Modern k8s proxy; Go binary; smaller CVE surface; registered demonstrates k8s hardening. |
| mariadb | Registered | MySQL-compatible; mysql covers primary use case in free tier. |
| grafana | Registered | Non-library namespace; standard dashboard; observability hardening story. |
| php | Registered | Massive legacy install base; highest CVE/pull ratio; high-value hardening showcase. |
| ruby | Registered | Rails ecosystem significant; complements python and node runtime catalog. |
| prometheus | Registered | Paired with grafana; non-library namespace; registered tier. |
| elasticsearch | Registered | Enterprise search; Elastic licensing changes; JVM base. |
| haproxy | Registered | Proven load balancer; lower community interest but operational relevance. |
| tomcat | Registered | Java servlet container; enterprise Java shops; complements openjdk free tier. |
| consul | Registered | HashiCorp service mesh; lower pull count vs vault; narrower audience. |
| vault | Registered | HashiCorp secrets manager; BSL license shift reduces free-tier appeal. |
5.3 Premium Tier Candidates (Future Consideration)
Images not yet in images.yaml that represent premium-tier opportunities as the product matures:
| Image | Pulls | Category | Premium Rationale |
|---|---|---|---|
| jenkins/jenkins | 4.9B | CI/CD | High enterprise value; complex hardening; SLA-backed patching is compelling for CI/CD |
| istio/proxyv2 | 12.2B | Service Mesh | Enterprise-only use case; complex hardening; high blast radius |
| fluent/fluent-bit | 15.2B | Observability | Enterprise infrastructure; DaemonSet deployment; SLA-backed security |
| datadog/agent | 11.2B | Observability | Enterprise-only; DaemonSet with privileged access; high-consequence hardening |
| sonarqube | 1.2B | CI/CD | Enterprise code quality; high CVE surface; compliance use case |
| bitnami/postgresql | 3.8B | Database | Helm-native enterprises; Bitnami format compatibility required |
| elasticsearch | 0.95B | Search | Enterprise; Elastic licensing makes hardened OSS version compelling |
| gitlab-runner | ~0.8B | CI/CD | Enterprise DevOps shops; CI/CD supply chain security story |
Premium tier positioning: CI/CD and service mesh images have such high-consequence security implications that organisations are willing to pay for guaranteed patching SLAs and dedicated support. These images are not “nice to have hardened” — a CVE in jenkins is a supply chain attack vector. Enterprise security teams understand this and will pay for confidence.
6. Strategic Implications for CascadeGuard Content
6.1 Priority Content Targets (by reach × risk)
- nginx — 12.9B pulls, Critical risk, internet-facing. Every web developer knows it.
- python — 8.6B pulls, Critical CVE density, AI/ML audience, fastest growing.
- postgres — 10.5B pulls, Critical, default cloud-native DB.
- node — 6.3B pulls, Critical, JS/TS backend standard.
- jenkins — 5.6B combined pulls, Critical, supply chain attack vector #1.
6.2 Emerging Content Opportunities
- Observability security — Uncrowded topic; 31B+ combined pulls; DaemonSet risk angle is novel
- Bitnami security — 8.8B pulls; no dedicated coverage; Helm user audience
- Service mesh supply chain — 30B+ pulls; novel angle; high-stakes audience
6.3 SEO Keyword Opportunities
| Query Pattern | Target Article | Volume Signal |
|---|---|---|
| ”nginx CVE” / “nginx vulnerabilities” | State of Web Servers | High |
| ”docker postgres CVE” | State of Databases | High |
| ”python docker image security” | State of Runtimes | High |
| ”jenkins docker vulnerabilities” | CI/CD security | High |
| ”fluent bit security” | Observability article | Medium, uncrowded |
| ”istio supply chain” | Service mesh security | Medium, very uncrowded |
| ”bitnami postgresql CVE” | Bitnami security (future) | Medium |
Last updated: 2026-04-10 by Elena Vasquez (CMO). Data sourced from image-repos.yaml, marketing
articles 002–008, SWOT analysis, and Docker Hub public data.