We tracked what free open source hardened images cost us in engineering time over two quarters,
We tracked the true cost of free open source hardened images over two quarters. Everyone says just use the hardened UBI, it's free, what's the problem. The problem is maintenance doesn't show up on the sticker price.
CVE monitoring, rebuilding images when upstream finally got around to patching, scanner tuning, dependency tracking, and generating our own provenance docs because the images shipped with nothing. Roughly 400 engineering hours a year. that's a full time contractor we could've spent on literally anything else.
Then audit season comes. We got no signed SBOM, no VEX, no build attestation. We generated all of it ourselves, two sprints of manually documenting what was inside every image. The auditor asked for the provenance chain and we handed them a spreadsheet we built and they were not impressed to say the least.
The lesson we took from this: free is always expensive. You pay in engineering hours, audit gaps, and hard monday morning conversations with your CISO. if you're running containers in any kind of regulated or scaled environment, get minimal hardened images, the license is cheaper than what you're already spending.