Hardened Containers Made Simple

Secure Your Containers Without Risky Upgrades

Aikido already scans your containers and auto-fixes vulnerabilities. Now with Root.io, we provide hardened, safe-by-default base images for advanced base image security.

Same image, safer
Fix unpatched CVEs
No breaking changes

Enable integration Set up an Aikido Account

Fix Unpatchable Base Image Vulnerabilities

Upgrading to a newer base image can break builds, introduce runtime bugs, or require days of testing — and some CVEs don’t even have upstream fixes.

That’s where hardened images come in.

When Aikido detects a critical or high-severity CVE in your base image that can’t be fixed by upgrading safely, AutoFix will now suggest a hardened alternative: fully patched by Root.io, as drop-in replacements.

Code snippet showing a choice between using a hardened image or pinning to latest with details of fixing 75 issues versus 1 issue in a Dockerfile.

Why This Matters:

Stay on your current base image
Fix critical CVEs even if upstream maintainers haven't
Avoid breaking changes and retesting cycles
Automatically receive a PR through Aikido’s AutoFix

Built into Your Existing Workflow

Aikido AutoFix works directly in your set up. No new tools, no extra infrastructure.
Just smarter, safer images— automatically.

Learn how to use hardened images

Explore more features

⁴

⁵

Infrastructure as a code (IaC)

⁶

Container Scanning

⁷

DAST

⁸

License Risks

⁹

Malware in dependencies

¹⁰

End-of-life runtimes

¹¹

Custom Scanner

Use keyboard

to navigate through articles

Visit our Blog

What MDM can't protect on developer machines (and what to do about it)

Nicholas Thomson

What MDM can't protect on developer machines (and what to do about it)

Guides & Best Practices

May 28, 2026

Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens

Charlie Eriksen

Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens

Vulnerabilities & Threats

May 27, 2026

Aikido vs XBOW: 58% more vulnerabilities found in independent benchmark

Aleks Frelas

Aikido vs XBOW: 58% more vulnerabilities found in independent benchmark

News

May 27, 2026

Why developer machines are now the number one target for supply chain attacks

Sooraj Shah

Why developer machines are now the number one target for supply chain attacks

News

May 26, 2026

Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer

Ilyas Makari

Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer

Vulnerabilities & Threats

May 23, 2026

Google API keys keep working after you delete them

Joe Leon

Google API keys keep working after you delete them

Vulnerabilities & Threats

May 21, 2026

The Wild West of VS Code extensions and how a poisoned extension breached GitHub

Raphael Silva

The Wild West of VS Code extensions and how a poisoned extension breached GitHub

Vulnerabilities & Threats

May 20, 2026

GitHub breached via a malicious VS Code extension: why developer devices are the real target

Shaun Brown

GitHub breached via a malicious VS Code extension: why developer devices are the real target

Vulnerabilities & Threats

May 20, 2026

Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!

Raphael Silva

Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!

Vulnerabilities & Threats

May 19, 2026

Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages

Sooraj Shah

Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages

Vulnerabilities & Threats

May 19, 2026

One year of Opengrep: What we built and what’s next

Dimitris Mostrous

One year of Opengrep: What we built and what’s next

Product & Company Updates

May 12, 2026

Shadow AI is a fear response, and banning it makes it worse

Nicholas Thomson

Shadow AI is a fear response, and banning it makes it worse

News

May 12, 2026

Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack

Raphael Silva

Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack

Vulnerabilities & Threats

May 12, 2026

The complete GitHub Actions security checklist

Dania Durnas

The complete GitHub Actions security checklist

Guides & Best Practices

May 11, 2026

Rolling out developer security in a 5,000+ engineer organization

Mike Wilkes

Rolling out developer security in a 5,000+ engineer organization

Guides & Best Practices

May 6, 2026

Security metamorphosis: a Mythos-ready architecture checklist for autonomous AI attacks

Mike Wilkes

Security metamorphosis: a Mythos-ready architecture checklist for autonomous AI attacks

Guides & Best Practices

May 5, 2026

Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud

Ilyas Makari

Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud

Vulnerabilities & Threats

April 30, 2026

Aikido integrates with AWS Kiro: Catching in review doesn't scale anymore

Michiel Denis

Aikido integrates with AWS Kiro: Catching in review doesn't scale anymore

Product & Company Updates

April 30, 2026

A practical CTO security checklist to be Mythos-ready

Dania Durnas

A practical CTO security checklist to be Mythos-ready

Guides & Best Practices

April 30, 2026

Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer

Raphael Silva

Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer

Vulnerabilities & Threats

April 29, 2026

Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files

Charlie Eriksen

Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files

Vulnerabilities & Threats

April 29, 2026

It's time to treat browser extensions like supply chain attack vectors

Dania Durnas

It's time to treat browser extensions like supply chain attack vectors

Vulnerabilities & Threats

April 25, 2026

Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm

Ilyas Makari

Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm

Vulnerabilities & Threats

April 23, 2026

GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays

Ilyas Makari

GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays

Vulnerabilities & Threats

April 22, 2026

Introducing Device Protection: Security for Developer Devices

Madeline Lawrence

Introducing Device Protection: Security for Developer Devices

Product & Company Updates

April 20, 2026

Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow

Jorian Woltjer

Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow

Vulnerabilities & Threats

April 17, 2026

Reliable CVE sources in the age of NIST NVD cutbacks

Sooraj Shah

Reliable CVE sources in the age of NIST NVD cutbacks

News

April 16, 2026

Axios CVE-2026-40175: a critical bug that’s… not exploitable

Mackenzie Jackson

Axios CVE-2026-40175: a critical bug that’s… not exploitable

Vulnerabilities & Threats

April 14, 2026

Bug bounty isn’t dead, but the old model is breaking

Mackenzie Jackson

Bug bounty isn’t dead, but the old model is breaking

Technical

April 13, 2026

GlassWorm goes native: New Zig dropper infects every IDE on your machine

Ilyas Makari

GlassWorm goes native: New Zig dropper infects every IDE on your machine

Vulnerabilities & Threats

April 8, 2026

Aikido Attack finds multiple 0-days in Hoppscotch

Robbe Verwilghen

Aikido Attack finds multiple 0-days in Hoppscotch

Vulnerabilities & Threats

April 8, 2026

The cybersecurity doomerism around Mythos doesn't match what we see on the ground

Sooraj Shah

The cybersecurity doomerism around Mythos doesn't match what we see on the ground

News

April 6, 2026

axios compromised on npm: maintainer account hijacked, RAT deployed

Madeline Lawrence

axios compromised on npm: maintainer account hijacked, RAT deployed

Vulnerabilities & Threats

March 30, 2026

Popular telnyx package compromised on PyPI by TeamPCP

Charlie Eriksen

Popular telnyx package compromised on PyPI by TeamPCP

Vulnerabilities & Threats

March 27, 2026

Madeline Lawrence

Aikido × Lovable: Vibe, Fix, Ship

Product & Company Updates

March 24, 2026

CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran

Charlie Eriksen

CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran

Vulnerabilities & Threats

March 22, 2026

TeamPCP deploys CanisterWorm on NPM following Trivy compromise

Charlie Eriksen

TeamPCP deploys CanisterWorm on NPM following Trivy compromise

Vulnerabilities & Threats

March 20, 2026

Security testing is validating software that no longer exists

Sooraj Shah

Security testing is validating software that no longer exists

Guides & Best Practices

March 19, 2026

Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM

Michiel Denis

Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM

News

March 19, 2026

GlassWorm Hides a RAT Inside a Malicious Chrome Extension

Ilyas Makari

GlassWorm Hides a RAT Inside a Malicious Chrome Extension

Vulnerabilities & Threats

March 18, 2026

fast-draft Open VSX Extension Compromised by BlokTrooper

Raphael Silva

fast-draft Open VSX Extension Compromised by BlokTrooper

Vulnerabilities & Threats

March 18, 2026

Glassworm Strikes Popular React Native Phone Number Packages

Raphael Silva

Glassworm Strikes Popular React Native Phone Number Packages

Vulnerabilities & Threats

March 16, 2026

Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories

Ilyas Makari

Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories

Vulnerabilities & Threats

March 13, 2026

How Security Teams Fight Back Against AI-Powered Hackers

Dania Durnas

How Security Teams Fight Back Against AI-Powered Hackers

Vulnerabilities & Threats

March 12, 2026

Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks

Zach Rice

Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks

Product & Company Updates

March 12, 2026

Trump’s 2026 cybersecurity strategy: From compliance to consequence

Mike Wilkes

Trump’s 2026 cybersecurity strategy: From compliance to consequence

News

March 9, 2026

How does AI pentesting work with compliance?

Dania Durnas

How does AI pentesting work with compliance?

Compliance

March 9, 2026

What continuous pentesting actually requires

Sooraj Shah

What continuous pentesting actually requires

Guides & Best Practices

March 6, 2026

Rare Not Random: Using Token Efficiency for Secrets Scanning

Zach Rice

Rare Not Random: Using Token Efficiency for Secrets Scanning

Guides & Best Practices

March 3, 2026

Persistent XSS/RCE using WebSockets in Storybook’s dev server

Robbe Verwilghen

Persistent XSS/RCE using WebSockets in Storybook’s dev server

Vulnerabilities & Threats

March 3, 2026

Why Determinism Is Still a Necessity in Security

Dania Durnas

Why Determinism Is Still a Necessity in Security

Engineering

March 3, 2026

Introducing Aikido Infinite: A new model of self-securing software

Madeline Lawrence

Introducing Aikido Infinite: A new model of self-securing software

Product & Company Updates

February 26, 2026

How Aikido secures AI pentesting agents by design

Sooraj Shah

How Aikido secures AI pentesting agents by design

Product & Company Updates

February 24, 2026

Astro Full-Read SSRF via Host Header Injection

Jorian Woltjer

Astro Full-Read SSRF via Host Header Injection

Vulnerabilities & Threats

February 23, 2026

How to Get Your Board to Care About Security (Before a Breach Forces the Issue)

Mike Wilkes

How to Get Your Board to Care About Security (Before a Breach Forces the Issue)

Guides

February 23, 2026

What is Slopsquatting? The AI Package Hallucination Attack Already Happening

Dania Durnas

What is Slopsquatting? The AI Package Hallucination Attack Already Happening

Guides & Best Practices

February 20, 2026

SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel

Jorian Woltjer

SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel

Vulnerabilities & Threats

February 19, 2026

Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report

Sooraj Shah

Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report

News

February 17, 2026

From detection to prevention: How Zen stops IDOR vulnerabilities at runtime

Hans Ott

From detection to prevention: How Zen stops IDOR vulnerabilities at runtime

Product & Company Updates

February 16, 2026

npm backdoor lets hackers hijack gambling outcomes

Ilyas Makari

npm backdoor lets hackers hijack gambling outcomes

Vulnerabilities & Threats

February 16, 2026

Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code

Sooraj Shah

Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code

Product & Company Updates

February 13, 2026

Why Trying to Secure OpenClaw is Ridiculous

Dania Durnas

Why Trying to Secure OpenClaw is Ridiculous

News

February 13, 2026

Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security?

Sooraj Shah

Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security?

News

February 11, 2026

Introducing Aikido Expansion Packs: Safer defaults inside the IDE

Trusha Sharma

Introducing Aikido Expansion Packs: Safer defaults inside the IDE

Product & Company Updates

February 10, 2026

International AI Safety Report 2026: What It Means for Autonomous AI Systems

Dania Durnas

International AI Safety Report 2026: What It Means for Autonomous AI Systems

News

February 9, 2026

npx Confusion: Packages That Forgot to Claim Their Own Name

Charlie Eriksen

npx Confusion: Packages That Forgot to Claim Their Own Name

Vulnerabilities & Threats

February 4, 2026

Introducing Aikido Package Health: a Better Way to Trust Your Dependencies

Trusha Sharma

Introducing Aikido Package Health: a Better Way to Trust Your Dependencies

Product & Company Updates

February 3, 2026

AI Pentesting: Minimum Safety Requirements for Security Testing

Sooraj Shah

AI Pentesting: Minimum Safety Requirements for Security Testing

Guides & Best Practices

February 3, 2026

Secure SDLC for Engineering Teams (+ Checklist)

Divine Odazie

Secure SDLC for Engineering Teams (+ Checklist)

Guides & Best Practices

February 2, 2026

Fake Clawdbot VS Code Extension Installs ScreenConnect RAT

Charlie Eriksen

Fake Clawdbot VS Code Extension Installs ScreenConnect RAT

Vulnerabilities & Threats

January 27, 2026

G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets

Charlie Eriksen

G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets

Vulnerabilities & Threats

January 23, 2026

Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages

Charlie Eriksen

Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages

Vulnerabilities & Threats

January 23, 2026

Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT

Charlie Eriksen

Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT

Vulnerabilities & Threats

January 23, 2026

Divine Odazie

Top 10 AI Security Tools For 2026

DevSec Tools & Comparisons

January 21, 2026

Agent Skills Are Spreading Hallucinated npx Commands

Charlie Eriksen

Agent Skills Are Spreading Hallucinated npx Commands

Vulnerabilities & Threats

January 21, 2026

Understanding Open-Source License Risk in Modern Software

Mackenzie Jackson

Understanding Open-Source License Risk in Modern Software

Guides & Best Practices

January 19, 2026

The CISO Vibe Coding Checklist for Security

Sooraj Shah

The CISO Vibe Coding Checklist for Security

Guides & Best Practices

January 16, 2026

Top 6 Graphite alternatives for AI code review in 2026

Divine Odazie

Top 6 Graphite alternatives for AI code review in 2026

DevSec Tools & Comparisons

January 16, 2026

From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B

Madeline Lawrence

From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B

Product & Company Updates

January 14, 2026

Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858)

Sooraj Shah

Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858)

Vulnerabilities & Threats

January 8, 2026

Divine Odazie

Top 14 VS Code Extensions for 2026

DevSec Tools & Comparisons

January 7, 2026

AI-Driven Pentesting of Coolify: Seven CVEs Identified

Robbe Verwilghen

AI-Driven Pentesting of Coolify: Seven CVEs Identified

Aikido

January 7, 2026

SAST vs SCA: Securing the Code You Write and the Code You Depend On

Divine Odazie

SAST vs SCA: Securing the Code You Write and the Code You Depend On

Technical

January 6, 2026

JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack

Charlie Eriksen

JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack

Vulnerabilities & Threats

January 5, 2026

How Engineering and Security Teams Can Meet DORA’s Technical Requirements

Sooraj Shah

How Engineering and Security Teams Can Meet DORA’s Technical Requirements

Compliance

January 5, 2026

IDOR Vulnerabilities Explained: Why They Persist in Modern Applications

Sooraj Shah

IDOR Vulnerabilities Explained: Why They Persist in Modern Applications

Vulnerabilities & Threats

January 2, 2026

Shai Hulud strikes again - The golden path

Charlie Eriksen

Shai Hulud strikes again - The golden path

Vulnerabilities & Threats

December 28, 2025

MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It

Sooraj Shah

MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It

Vulnerabilities & Threats

December 26, 2025

First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson

Charlie Eriksen

First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson

Vulnerabilities & Threats

December 25, 2025

The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security

Charlie Eriksen

The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security

Vulnerabilities & Threats

December 17, 2025

Divine Odazie

Top 10 Cyber Security Tools For 2026

DevSec Tools & Comparisons

December 16, 2025

SAST in the IDE is now free: Moving SAST to where development actually happens

Trusha Sharma

SAST in the IDE is now free: Moving SAST to where development actually happens

Product & Company Updates

December 15, 2025

AI Pentesting in Action: A TL;DV Recap of Our Live Demo

Trusha Sharma

AI Pentesting in Action: A TL;DV Recap of Our Live Demo

Guides

December 15, 2025

The Top 7 Threat Intelligence Tools in 2026

Divine Odazie

The Top 7 Threat Intelligence Tools in 2026

DevSec Tools & Comparisons

December 15, 2025

React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell

Mackenzie Jackson

React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell

Vulnerabilities & Threats

December 12, 2025

OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know

Sooraj Shah

OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know

Guides & Best Practices

December 10, 2025

PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents

Rein Daelman

PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents

Vulnerabilities & Threats

December 4, 2025

Divine Odazie

Top 7 Cloud Security Vulnerabilities

Guides & Best Practices

December 4, 2025

Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now

Sooraj Shah

Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now

Vulnerabilities & Threats

December 3, 2025

How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams

Divine Odazie

How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams

Compliance

December 3, 2025