Minimus Adds Supply Chain Protection and Minicli, Pushing Container Security Toward Image-as-Code

Minimus, the cloud-native security startup focused on minimal container images, has expanded its platform with two additions aimed at the part of software security that teams most often neglect: the dependencies they never chose to install. The company announced supply chain protection alongside Minicli, a command-line tool for policy enforcement, and a new image-as-code capability that lets teams define and govern container images through the same review workflows they use for everything else.

The pitch rests on a simple observation that has become harder to ignore. Most container images are bloated. A standard base image pulls in shells, package managers, system libraries, and utilities that an application never calls at runtime but an attacker can happily use. Every one of those components is a potential vulnerability that security teams have to scan, triage, and patch. The work compounds quietly until a single service drags hundreds of unaddressed CVEs through a pipeline, most of them attached to software nobody asked for.

The problem Minimus is going after

Minimus builds minimal, hardened images that strip out everything not required to run the workload. Fewer packages mean a smaller attack surface and, just as importantly, far fewer vulnerability findings for engineers to chase. The approach overlaps with what projects like distroless and companies such as Chainguard have popularized, and it reflects a real shift in how teams think about base images. The competitive question is no longer whether minimal images matter. It is who can deliver them across a broad catalog while keeping them current as upstream code changes.

That maintenance burden is where supply chain attacks tend to live. Compromised dependencies, malicious package updates, and tampered build artifacts have moved from theoretical risk to recurring incident over the past few years. Securing the image itself does little good if the path that produces it can be poisoned. Minimus is positioning its supply chain protection as coverage for that gap, validating the integrity and provenance of what goes into an image rather than only inspecting the result.

Minicli and policy as a command

The more interesting piece for day-to-day engineering work is Minicli, the new command-line tool for policy enforcement. Putting policy at the command line matters because it meets developers where decisions actually get made: in the terminal and in CI, not in a dashboard someone checks after the fact. A team can encode rules about which images are permitted, what they may contain, and which provenance requirements must hold, then enforce those rules automatically before anything reaches production.

This is the same logic that made Open Policy Agent and admission controllers useful in Kubernetes environments. Policy that runs as part of the build catches problems early, when fixing them is cheap, instead of generating an alert after deployment. The value of a dedicated CLI is friction reduction. If checking compliance is one command, it gets run. If it requires a separate portal, it gets skipped under deadline pressure.

Image-as-code as the organizing idea

The image-as-code capability ties the release together. The phrase borrows directly from infrastructure-as-code, and the analogy is the point. Tools like Terraform made infrastructure reviewable, versioned, and reproducible by turning it into files in a repository. Minimus wants container images to live under the same discipline. Defining an image declaratively means its contents become auditable, changes go through pull requests, and the gap between what a team thinks it shipped and what it actually shipped narrows.

For security and platform teams, that reproducibility is the practical win. An image defined as code can be rebuilt identically, diffed against a previous version, and reasoned about without archaeology. It also gives policy enforcement something concrete to act on. Minicli can evaluate a declared image specification rather than reverse-engineering a binary blob after the fact.

Where this fits in the market

Minimus is entering a category with established players and a clear thesis, which cuts both ways. The minimal-image idea is validated, meaning buyers already understand the problem, but it also means differentiation has to come from execution: catalog breadth, update cadence, and how cleanly the tooling drops into existing pipelines. Supply chain protection and policy enforcement are the natural adjacencies, and bundling them suggests Minimus is trying to be a platform rather than a single-purpose image registry.

The skeptic's question is whether image-as-code becomes a genuine workflow that teams adopt or a label on top of capabilities that competitors offer under different names. Provenance, attestation, and admission policy are not new concepts. The bet here is that packaging them around minimal images, with a command-line tool developers will actually use, produces something more coherent than assembling the same functions from separate tools.

For engineering organizations drowning in vulnerability findings tied to software they never use, the appeal is straightforward. Shrinking the image shrinks the problem at its source, and adding enforceable policy keeps it shrunk. Whether Minimus can hold that position as larger security vendors fold similar features into their suites is the part worth watching. The company can read more about its approach on the Minimus site.

The broader pattern is the one to track. Container security is migrating from after-the-fact scanning toward prevention built into the build, and treating images as governed, versioned artifacts is a sensible expression of that shift. Minimus is making a credible push in that direction, and its success will say something about how quickly the rest of the market follows.