Vision

CleanStart's strategic mission is to make verified-source, cryptographically-signed container images the production standard—eliminating the supply chain security vulnerabilities that plague today's container ecosystems. We're building the industry infrastructure for trustworthy container images: systematic vulnerability remediation, built-in provenance, and compliance-ready attestation that works at scale.

Our three-year roadmap focuses on expanding the image catalog, enabling enterprise deployments at scale, and deeply integrating with modern DevOps workflows.

Roadmap Principles

These principles guide every feature decision and release.

1. Security-First

Every feature ships with full cryptographic provenance. No exceptions. Signatures, SBOMs, SLSA attestations, and vulnerability evidence are not "nice to have"—they're baked into every image. This commitment means that even as CleanStart expands, security never becomes a secondary concern—it remains the foundation upon which all other capabilities rest.

2. Backward Compatible

Existing CleanStart images continue to work. Breaking changes require minimum 6-month deprecation notice and migration guides. Old images remain available (read-only) for 12 months after deprecation. This ensures that organizations who invest in CleanStart today won't face sudden breakage as we evolve, and teams have ample time to plan migrations before any functionality changes.

3. Standards-Based

We implement NIST, Sigstore, OWASP, and Linux Foundation standards (SLSA 4, SBOM 3.0, OCI distribution spec) rather than proprietary formats, ensuring ecosystem portability and future-proofing your deployments. By adhering to open standards, we ensure that your investment in CleanStart integrates seamlessly with other tools and won't lock you into a proprietary ecosystem.

4. Customer-Driven

Roadmap priorities are shaped by production feedback, enterprise customer requests, and measurable security incident data. This document reflects actual customer demands, not engineering guesses. We prioritize features based on real-world problems we see customers facing, not theoretical technology trends.

Current Release: Q1 2026 (v1.2.0)

Current Status: Production-ready with 78-test verification suite, 11 cryptographic artifacts per image.

What's Live Now

Language Runtimes

CleanStart currently offers verified, secure container images for the following language runtimes. Python is available in both standard and FIPS 140-3 certified variants. We support Python 3.11 and 3.12 to cover the latest stable releases and one version back for organizations on slower upgrade cycles. Node.js images support versions 18, 20, and 22, with FIPS variants available for compliance-sensitive deployments. For Go development, we provide versions 1.21 and 1.22. The Java ecosystem is served through both OpenJDK (versions 17 and 21) and GraalVM for native compilation scenarios. Ruby developers can access versions 3.2 and 3.3. For systems programming and performance-critical applications, Rust is available in versions 1.75 and 1.80. The .NET runtime platform is supported through versions 7.0 and 8.0 for modern application development.

Application Images

Beyond language runtimes, CleanStart provides verified images for critical infrastructure components and data storage systems that many applications depend upon. PostgreSQL is available in versions 14, 15, and 16 to support a range of deployment scenarios and upgrade paths. MySQL support includes versions 8.0 and 8.1 with hardened configurations. MongoDB 7.0 provides a NoSQL option for document-oriented workloads. For caching infrastructure, Redis versions 7.0 and 7.2 are available. Web server capabilities are provided through NGINX versions 1.24 and 1.25, and Apache HTTP Server 2.4 completes the application server offerings.

Key Capabilities

The v1.2.0 release ships with comprehensive security and compliance features built-in. Container images are distributed as shell-less, read-only root filesystem variants running as non-root user (UID 65532) to eliminate entire classes of supply chain attack vectors. Every image includes SLSA Level 4 provenance documentation, proving exactly how and when the image was built. Cosign signature verification with OIDC tokens ensures that only authentic, unmodified images can be deployed. SBOMs are generated in both SPDX 3.0 and CycloneDX 1.4 formats, providing comprehensive component inventory. CVE tracking and remediation follows strict SLAs where Critical vulnerabilities are patched within 24 hours and High-severity issues within 7 days. The APK package manager enables flexible composition with subpackage stripping to reduce image size. A two-factory build architecture separates bootstrap infrastructure from application layers, ensuring security boundaries. Finally, each image family is validated through a comprehensive 78-test suite covering security, functionality, and performance.

CleanSight Monitoring (Optional)

An optional monitoring service called CleanSight detects when your production systems are running outdated CleanStart images and recommends upgrades with severity scores. It integrates with common alerting platforms including Slack, email, and PagerDuty, enabling teams to stay informed about security updates without constantly checking registries.

Near-Term Roadmap: Q2–Q3 2026 (Next 3 Months)

Theme: "Expand the Catalog"

Release Q2 2026: v1.3.0

Focus: Demand-driven language expansion and developer productivity.

New Language Runtimes

Kotlin versions 1.9 and 2.0 are being added to serve microservices and Android backend development with approximately 150+ enterprises requesting this support. FIPS 140-3 variant availability ensures government and regulated industry compliance. Scala versions 2.13 and 3.x will serve Apache Spark and Kafka ecosystems, addressing distributed computing workloads across 80+ enterprises. FIPS variants will be available here as well, expanding our compliance coverage. PHP versions 8.2 and 8.3 address the substantial installed base of legacy PHP applications and modern CMS platforms that enterprises need to modernize, with an estimated 200+ enterprises needing this support. APM-instrumented variants for DataDog and New Relic integration will enable developers to deploy with built-in observability. Swift versions 5.8 and 5.9 support server-side Swift development and iOS backend services, though with smaller estimated demand of 30+ enterprises. FIPS capability through the Foundation framework ensures compliance-ready Swift deployments.

New Application Images

PostgreSQL will be updated to version 17 as the latest upstream release becomes available, maintaining our commitment to supporting current versions. MariaDB 11 will provide an open-source MySQL alternative for organizations with licensing concerns. Elasticsearch 8.x, signed with Cosign, will be available for search and analytics workloads. Grafana versions 10 and 11 will be pre-configured with hardened defaults, enabling organizations to deploy observability infrastructure securely. Vault 1.15+ will address secrets management requirements with comprehensive key and credential handling.

Enhanced FIPS 140-3 Coverage

FIPS-capable images will expand from the current 40% of the catalog to reach 75% coverage, ensuring that compliance-sensitive organizations have broader options. New cryptographic operation modules will be added specifically to support FIPS requirements. FIPS validation documentation will include details on CMVP approved algorithms to assist with regulatory audits. A real-world FIPS compliance testing kit will be provided to organizations navigating export-control scenarios and international compliance requirements.

Image Variants

A "slim" variant will be introduced, reducing image size to approximately 50% of the standard variant while removing development tools for pure runtime scenarios. A "runtime" variant will be optimized for production with build tools removed but dev libraries retained for debugging. A "debug" variant will include shell, debuggers, and profilers specifically for development-only use, making troubleshooting easier without compromising production security.

Release Q3 2026: v1.4.0

Focus: Platform expansion and ecosystem growth.

Multi-Architecture Builds

Tier 1 (Fully Certified) support will include AMD64 (x86-64) as the primary platform, and ARM64 (aarch64) for Apple Silicon, AWS Graviton2+ processors, and Raspberry Pi deployments. Identical security posture, SBOMs, and signatures will be maintained across all supported architectures.

Tier 2 (Community-Supported) additions will include PowerPC64 (ppc64le) for IBM Power Systems workloads, IBM System Z (s390x) for mainframe computing environments, and RISC-V (riscv64) for emerging platforms. While not fully certified, these platforms will receive community support and validation.

CleanSight Enhanced

Auto-upgrade recommendations will analyze your image versions across your environment and recommend upgrades with risk scores, reducing manual security triage work. A compliance dashboard will export audit-ready reports in SOC 2, FedRAMP, and PCI-DSS formats, accelerating compliance audits. Cost analysis features will show registry storage savings achievable through image compression optimization. Team collaboration capabilities will enable sharing vulnerability assessments across security teams and adding comments to findings.

Custom Image Builder API (Beta)

Customers will be able to submit custom Dockerfile recipes to CleanStart, which will build, sign, and host the resulting image while maintaining the full provenance chain connecting customer code to the verified image. This addresses proprietary applications and internal middleware components that don't fit pre-built offerings. A 24-hour build turnaround SLA ensures quick iteration cycles, with all images including cryptographic signatures.

Mid-Term Roadmap: Q4 2026 – Q1 2027 (3–6 Months Out)

Theme: "Enterprise Scale"

Release Q4 2026: v2.0.0

Focus: Enterprise deployments, air-gapped environments, ecosystem integration.

Enterprise Features

Multi-tenancy support will enable separate image namespaces, per-team audit logs, and billing. Custom CVE policies will allow teams to define which vulnerabilities block deployment based on severity thresholds and CVSS scores. Compliance reporting will automatically export evidence for SOC 2, FedRAMP, HIPAA, PCI-DSS, and CMMC requirements. Advanced RBAC will govern role-based access to images, signing permissions, and deprecation approval workflows. Audit logging will track every image pull, deployment, and vulnerability discovery with 90+ day retention. Monthly SLA reporting will demonstrate vulnerability remediation compliance to auditors and customers.

Air-Gapped Deployment Tooling

Organizations running in isolated networks will be able to download image bundles for offline use. Signature validation will work in isolation without requiring internet access. Bandwidth-optimized mirroring will sync only deltas between versions, achieving 60% bandwidth savings. Automated mirror update scripts will keep internal registries synchronized with latest images without manual intervention.

Registry Federation Support

Full OCI Distribution Spec 1.1 compliance will enable true federation protocols. Images will be available across AWS ECR, GCP Artifact Registry, Azure Container Registry, and harbor.dev simultaneously. Cross-region replication will sync images with signature preservation intact. Private registry bridging will connect on-premise registries to CleanStart images.

Image Deprecation Lifecycle

CleanSight will provide deprecation notices 90 days in advance of sunset. Migration paths will be documented for each deprecated image. Deprecated images will remain available read-only for 12 months without security updates. Pricing will impose no charge for deprecated image access, encouraging orderly migration without creating financial penalties.

Release Q1 2027: v2.1.0

Focus: Developer productivity, IDE integration, CI/CD native support.

Native CI/CD Plugins

GitHub Actions integration will enable using CleanStart images directly with automatic signature verification through a verified action. A simple YAML configuration will specify required SBOM and SLSA level enforcement. GitLab CI will natively integrate with .gitlab-ci.yml configuration, enabling automatic image verification. Jenkins will gain a CleanStart plugin with image verification, SBOM injection, and vulnerability scanning capabilities. CircleCI will receive an Orb for image verification and compliance checks. ArgoCD sync policy enforcement will ensure only verified CleanStart images are deployed.

Developer Productivity

IDE Extensions for VSCode and IntelliJ will highlight available CleanStart images and show vulnerabilities with remediation links. A Local Docker Dashboard will show which of your images are outdated with one-click upgrade commands. A Dockerfile linter will warn when pulling non-CleanStart base images and suggest secure alternatives. An SBOM viewer will provide a built-in UI to browse image contents and explore the dependency tree.

Performance Improvements

Image pull optimization will deliver 30% faster pull times through content-addressable compression. Multi-chunk parallel downloads will download multiple layers in parallel, achieving 4x speedup on high-latency networks. Smart client-side caching will cache SBOMs, signatures, and metadata without re-downloading on repeated pulls.

Long-Term Roadmap: Q2–Q4 2027 (6–12 Months Out)

Theme: "Ecosystem Integration & eBPF Runtime Security"

Release Q2 2027: v2.2.0

Focus: Service mesh integration, runtime security, advanced observability.

Service Mesh Integration

Istio integration will perform automatic image verification at sidecar injection, preventing untrusted image deployments at the admission control layer. Real-time vulnerability alerts will trigger mTLS policy updates to prevent compromised services from communicating. Linkerd integration will natively verify image trust, incorporating supply chain integrity checks before traffic routing. Certificate management will ensure proper handling of signed image access.

eBPF Runtime Security

Kernel-level image verification will verify signatures on file system access through eBPF hooks, creating a runtime security boundary. Anomaly detection will identify unauthorized processes spawning from containers. System call profiling will build baselines for each image and alert on unexpected system calls. Compliance monitoring will perform real-time policy violation checks, including detection of writes to read-only filesystems and privilege escalation attempts.

Advanced Observability

OpenTelemetry native support will emit image verification events as OTEL spans for integration with observability platforms. Prometheus metrics will expose image pull latency, signature verification time, and vulnerability detection lag. Distributed tracing will trace image delivery through registry federation and verify the cryptographic chain. Cost tracking will provide per-team metrics for image storage, bandwidth, and build time.

Release Q3 2027: v2.3.0

Focus: Compliance automation, regulatory alignment.

Compliance Framework Automation

NIST Cybersecurity Framework (CSF) 2.0 mapping will automatically map image provenance to NIST CSF functions. CMMC Level 3 support will generate evidence for Cybersecurity Maturity Model Certification required by DoD contractors. HIPAA BAA templates will provide images ready for healthcare deployments. SOC 2 automation will auto-generate 99% of audit evidence from image metadata. FedRAMP compliance will offer images certified for federal government deployments.

Regulatory Evidence Export

Automated report generation will export vulnerability remediation SLA compliance, audit logs, and SBOM changes. Chain-of-custody documentation will prove image integrity from build to production through cryptographic attestations. Sandbox environments will test compliance policies without affecting production. Automated incident response will collect evidence during breach investigations.

Machine Learning for CVE Prioritization

Severity scoring will combine NVD CVSS with exploit availability, attack complexity, and affected population. Remediation urgency will predict vulnerability exploitability within 30 days to help triage patches. Supply chain risk flagging will identify images with compromised dependencies using SBOM data.

Release Q4 2027: v3.0.0

Focus: Next-generation container platform architecture.

Container Image Verification at Scale

Notary v2 integration will achieve full Notary v2 specification compliance for next-generation container signing standards. Blockchain-backed provenance (optional) will provide immutable records of builds and deployments for high-security environments. Decentralized signing will support threshold signatures requiring M-of-N approvals for deployment.

Zero-Trust Container Orchestration

Kubernetes admission webhooks will enforce that only CleanStart images with verified signatures can be deployed at the cluster level. Compliance-as-code through Kubernetes CustomResourceDefinitions will enable defining image policies as standard Kubernetes objects, making policy enforcement GitOps-friendly.

AI-Powered Supply Chain Intelligence

Threat intelligence will provide real-time alerts when dependencies are mentioned in CVEs or exploit databases. Provenance visualization will create interactive graphs showing dependency relationships and vulnerability exposure. Predictive patching will recommend patches before CVEs affect your images, shifting from reactive to proactive security. Optional competitor analysis (premium feature) will show which dependencies competitors are using.

Deprecation Policy

Schedule

Deprecation will follow a structured timeline to allow organizations adequate planning and migration time. A minimum of 6 months advance notice precedes any deprecation announcement. A grace period of 6 months of continued support follows the deprecation announcement, during which the feature functions normally. End-of-life extends 12 months beyond the grace period, during which deprecated images remain available read-only without security updates.

Examples

For a hypothetical Python 2.7 (if we ever added it), the timeline would be: announce deprecation in January 2026, with the actual deprecation occurring in July 2026, and complete end-of-life in July 2027. Older FIPS variants would follow similar timelines once algorithms become de-supported by CMVP, with 6 months advance notice provided.

Migration Support

Every deprecation includes detailed migration guides with side-by-side code examples showing how to move to successor versions. Automated migration scripts will be provided where technically feasible to ease the transition process. Open office hours will be held to answer questions from affected organizations. A community Slack channel will facilitate peer-to-peer support among organizations managing the migration.

Feature Request Process

We prioritize new images and features based on customer demand and security impact through a structured process.

How to Request a Feature

First, check existing requests in our GitHub Discussions (link TBD) to see if someone has already asked for the feature you need. If not found, fill out the feature request template including four key elements: what (new language, application, or capability), why (use case, team size affected, security benefits), evidence (customer count interested, production urgency), and timeline (when you need this). The community votes on requests they care about to indicate demand. We review top requests quarterly and commit to a roadmap schedule.

Prioritization Criteria

Immediate (next release) priority goes to security incidents, critical compliance needs, and features affecting 50+ enterprise customers. Soon (next 2 quarters) priority covers features requested by 20+ customers with clear use cases that enable new workload types. Future (6+ months) priority includes niche use cases, community interest, and educational value. Unlikely category encompasses proprietary ecosystems, low-adoption languages, and features that violate our core principles.

Release Cadence

We maintain a predictable release schedule to help organizations plan upgrades. Major versions (v1 → v2) ship annually and include architectural changes. Minor versions (.0 → .1) ship quarterly with new images and features. Patch versions (.1 → .2) ship monthly with security updates only. Hotfixes are released as needed with a 24-hour SLA for Critical issues.

Strategic Themes (2027–2028 Preview)

Beyond this three-year roadmap, we are researching several emerging areas that will shape future releases. WebAssembly (WASM) modules will enable verifiable WebAssembly components with complete attestation chains. Unikernels and specialized kernels will provide minimal kernel images optimized for specific workloads like databases, machine learning, or networking. Confidential computing will deliver images optimized for trusted execution environments including Intel SGX and AMD SEV. Direct Hardware Security Module integration will simplify key management for cryptographic operations. Quantum-resistant cryptography will be implemented as cryptographic standards evolve to address future computing paradigms.

Competitive Analysis: Why CleanStart Leads

The following comparison table illustrates how CleanStart differentiates itself across key security, compliance, and operational capabilities relative to alternative container base image providers.

Investment & Growth Metrics

What we're optimizing for: Customer adoption curves that double every 12 months during 2026–2027, security incident prevention targeting 90% reduction in supply chain incidents for our customers, enterprise market share aiming for 20% of Fortune 500 adoption by 2028, and developer productivity reducing security review time from 5 days to under 1 day.

Funding allocation (approximate): 40% of resources go to engineering for new images, features, and infrastructure. 25% supports security and compliance work including CVE response, audit, and standards. 20% goes to customer success including onboarding, support, and custom builds. 15% supports operations including SRE, monitoring, and disaster recovery.

How to Stay Updated

Our roadmap remains a living document with multiple avenues for staying informed. Quarterly roadmap reviews are conducted through public calls (Zoom link TBD). Detailed release notes with breaking changes are published on GitHub Releases. Technical articles and case studies appear regularly on our blog. A Slack community channel facilitates questions and early access to beta features. A monthly email digest highlights releases, security advisories, and community achievements.

What to Read Next

Release Notes & Changelog: Detailed version history and feature additions. Image Catalog Reference: Complete list of available images. Compliance & Standards Mapping: NIST CSF, CMMC, FedRAMP, SOC 2 alignment. Request a Feature: GitHub Discussions for feature requests.