chainguard-images

May 25, 2024 · 1 min read
project

chainguard-images is a curated collection of secure, minimal, and production-ready container images built on top of Chainguard’s distroless base images (Wolfi/Apko). By stripping out unnecessary tools, shells, package managers, and libraries, these images achieve an extremely small footprint and approach a Zero-CVE status by design.

This collection packages various applications and language runtimes, ensuring secure-by-default execution in modern container orchestration stacks.

Security Benefits of Distroless

  • Minimizing Attack Surface: Removing standard shell binaries (/bin/sh, /bin/bash) and diagnostic tools prevents attackers from executing arbitrary commands upon compromise.
  • Vulnerability reduction: Eliminating unused packages results in container images that trigger fewer CVE alerts in security scanners.
  • Secure Ingestion: Optimized for high-assurance and air-gapped container registries that require signed, low-overhead artifacts.
  • Reproducible Builds: Compiled using secure and verifiable declarative build files.
Florian Stosse
Authors
Cybersecurity engineer
Cybersecurity engineer at the European Space Agency, specializing in space systems security, embedded platform hardening, and software security defenses.