chainguard-images

May 25, 2024 · 1 min read

chainguard-images is a curated collection of secure, minimal, and production-ready container images built on top of Chainguard’s distroless base images (Wolfi/Apko). By stripping out unnecessary tools, shells, package managers, and libraries, these images achieve an extremely small footprint and approach a Zero-CVE status by design.

This collection packages various applications and language runtimes, ensuring secure-by-default execution in modern container orchestration stacks.

Security Benefits of Distroless

Minimizing Attack Surface: Removing standard shell binaries (/bin/sh, /bin/bash) and diagnostic tools prevents attackers from executing arbitrary commands upon compromise.
Vulnerability reduction: Eliminating unused packages results in container images that trigger fewer CVE alerts in security scanners.
Secure Ingestion: Optimized for high-assurance and air-gapped container registries that require signed, low-overhead artifacts.
Reproducible Builds: Compiled using secure and verifiable declarative build files.

Last updated on May 25, 2024

Docker Container Security Chainguard Distroless DevSecOps Systems Administration

Authors

Florian Stosse

Cybersecurity engineer

About Me

Hi, I’m Florian Stosse, just another information security engineer !

Current work

I currently work at the European Space Agency, as a cybersecurity engineer for the Galileo programme, specifically for the Galileo Mission Segment (GMS).

Experience summary

I previously worked at Safran Data Systems, in the Space & Communications business unit. I focused on hardening and securing our embedded Windows 7 and 10/11 platforms (Cortex family of TT&C and high data rate receivers), among other cool things :)

Before that, in October 2018, I started a PhD thesis at CEA-List and ANSSI to work on formal methods applied to software security. More specifically, I was working on software defenses and hardening against hardware vulnerabilities, such as Spectre and Meltdown, using sound static analysis tools (Frama-C in particular).

My thesis was under the supervision of Julien Signoles (CEA), and my advisors were Patricia Mouy (ANSSI) and Florent Kirchner (CEA).

Unfortunately, we had to put a stop to the thesis, but hey, that’s life !

Education summary

I graduated with a M.Sc in Computer Science (major in cybersecurity, minor in embedded systems) from ESIEA Paris (a top French engineering school, part of the “Grandes écoles”) in August 2018. During my graduate studies, I was an apprentice at Bureau Veritas’ R&D center in La Défense, Paris.

I worked in the RAMS department, and my main areas of work were:

software security (e.g. static analysis, SDLC),
connected/autonomous vehicles security (e.g. ISO 21434 for automotive security engineering),
and industrial systems security (e.g. ISO 62443 certification).

Do not hesitate to get in touch if you want to chat about these topics (or anything else, really) !

← docker-admxlint May 26, 2024

freematics-traccar-encrypted May 24, 2024 →