Wiz is trusted by teams to protect everything they build and run in the cloud. That trust starts with how we build our platform. To meet the same high bar we set for our customers, we enforce strict secure development standards, including a zero-critical CVE policy for all production code.

Without adoption of hardened container images, vulnerability scanners slow developers down whenever build pipelines break due to critical CVEs in base images. 

To solve this, Wiz development teams have now adopted WizOS: our own hardened, minimal, near-zero-CVE container base images built for secure software delivery.

WizOS isn’t just a security upgrade, it’s part of our broader mission to help teams start secure and stay secure, with security built into the software supply chain from the very first layer. And it is now available in private preview for Wiz customers. Please get in touch with your account team to learn more.

As we launch our own hardened, lightweight images, we want to recognize the trailblazers whose innovation shaped this field - Google’s Distroless initiative, Red Hat’s Universal Base Images, Chainguard’s Wolfi OS, Docker’s minimal image efforts, and Alpine Linux’s secure, lightweight foundation. Your contributions laid the groundwork for a more secure and efficient container ecosystem.

The problem: vulnerabilities that developers didn’t cause

Every container image is scanned during the build stage. A single critical CVE in a shared base image could halt deployment across dozens of services. Developers find themselves pulled away from feature work to address vulnerabilities they didn’t cause and often don’t understand. The root of the problem isn’t their application logic, it is inherited risk from bloated base images.

From a security and compliance perspective, different teams use different distros (e.g., Ubuntu, Debian, and Alpine), which makes standardizing controls nearly impossible. And for regulated environments, FIPS-compliant foundations are needed that can pass audits without months of manual validation.

Why WizOS makes sense

WizOS is a hardened Linux distribution with its own build pipeline and security model compatible with Alpine but with stricter guardrails. We transitioned from Alpine’s musl to glibc to support a wider range of applications and dependencies, without sacrificing the minimal footprint expected here.

Building WizOS required bootstrapping an entirely new, reproducible build pipeline, with controlled environments and deterministic output. Every component in WizOS is built from source, with signing and provenance, so users can “trust, but verify” what’s running in their containers.

Since many of our internal services are written in Go and already use Alpine-like images, WizOS was designed as a drop-in replacement. We didn’t just publish images; we also built the testing infrastructure to back them. New versions go through full functional validation and end-to-end testing before release, ensuring we upgrade intelligently rather than chasing “latest.” Our goal isn’t just zero CVEs, it’s a stable, secure delivery at scale.

Rolling out WizOS across development and security teams

For most teams, rolling out WizOS was straightforward. Services already based on Alpine needed only minor adjustments to base image references in Helm charts and Dockerfile. For those on Ubuntu or Debian, the migration required some deeper changes, from replacing package managers to refactoring build scripts. Fortunately, our Golang-heavy architecture and lightweight dependencies kept the process manageable.

The product security team ran reviews of the entire CI/CD chain. We validated the new image provenance, logging, and deployment workflows. After rollout, we confirmed that vulnerability detection, audit logging, and alerting all continued to function as expected.

Measurable impact across the stack

The impact was immediate.

Critical and high CVEs in base images dropped to near zero. Our vulnerability scanners became quieter, with fewer false positives and less noise.

And for the issues that remained, developers could focus on actual application-level logic rather than inherited OS flaws.

From a developer perspective, the change meant fewer blocked builds, smaller image sizes, and faster deployments. CI pipelines moved faster, and network and storage usage dropped in our container image registries.

What's next

We’re continuing to expand WizOS to support a broader range of base images, and soon, common application-layer images as well. Inside Wiz, customers can already see which vulnerabilities are introduced through base layers and get recommendations for secure replacements, including WizOS. You can also track where WizOS is deployed across your environment and enforce policies to standardize its use.

WizOS is now available in private preview for Wiz customers. If you’re ready to secure your software at the foundation, contact your account team to get started!