Chainguard Containers on

Overview of Chainguard's Package Repositories

Thu, 09 Oct 2025 00:00:00 +0000

Chainguard Containers are built using packages from the Wolfi and Chainguard OS Linux distributions. If you need to extend or customize an image, it can be useful to access these packages directly.

Chainguard offers curated package repositories to support containerized workloads and simplify dependency management. These repositories ensure you can access trusted packages — whether building custom container images, working with Chainguard OS, or using Chainguard Containers in production.

This article provides an overview of Chainguard’s package model, highlighting the different Chainguard package repositories available to customers.

Build Java Containers with Jib

Tue, 23 Sep 2025 00:49:31 +0000

Google’s Jib is a container image build tool designed specifically for Java applications. Unlike other approaches, Jib does not depend on Docker or require users to write Dockerfiles. Instead, Jib integrates directly with the Maven and Gradle build systems to create container images for Java applications. When paired with Chainguard Java Containers, these tools provide:

improved security through minimal base images,
faster builds through layer optimization,
and simplified CI/CD integration without Docker daemon requirements

This tutorial will walk you through building a demo application with Maven, Jib, and Chainguard Containers.

Build Go Containers with Ko

Thu, 11 Sep 2025 08:49:31 +0000

Ko is a tool for building Go applications into container images without using Dockerfiles. When combined with Chainguard’s minimal containers, Ko creates smaller and more secure container runtimes with only your application and its essential dependencies.

This tutorial will guide you through installing Ko and using it to containerize Go applications with Chainguard Containers. By the end of this tutorial, you’ll understand how to build, configure, and deploy secure, custom containers with your Go-based application using Ko’s streamlined workflow.

Overview of Chainguard Custom Assembly

Wed, 19 Feb 2025 11:07:52 +0200

Chainguard Custom Assembly enables organizations to build container images tailored to their internal requirements and application dependencies, without sacrificing security. By extending Chainguard’s hardened base images with additional packages, environment variables, user accounts, and certificates, teams can reduce CVE exposure while maintaining the flexibility their workflows demand.

This overview of Custom Assembly outlines how it works, its limitations, and how you can use container images customized with Custom Assembly. For a more hands-on tutorial on using Custom Assembly, Chainguard Academy currently has documentation for the following methods of managing the tool:

Custom Assembly FAQs

Wed, 19 Feb 2025 11:07:52 +0200

What is Chainguard’s Custom Assembly?

Custom Assembly is a tool from Chainguard that allows users to build customized container images by assembling packages from a curated, secure set of base images provided by Chainguard.

Getting Started with the C/C++ Chainguard Containers

Tue, 30 Jul 2024 15:54:33 +0000

Chainguard provides security-hardened container images for C and C++ development, offering minimal runtime environments with significantly reduced vulnerabilities compared to traditional base images. Built on Chainguard’s own OS, these containers enable more secure deployment of compiled programs through purpose-built images for different linking scenarios. This guide demonstrates three approaches to compiling and running C/C++ applications using Chainguard’s specialized containers.

The container image with which you choose to run your compiled program depends on the nature of your binaries. Static binaries can be executed in the minimal static Chainguard Container, while dynamically linked binaries can be run in the glibc-dynamic Container. For this demonstration, you will first compile a C binary using the gcc-glibc Chainguard Container, and then learn how to use a multi-stage build to run the resulting binary in the glibc-dynamic image. You’ll also cover an example showing the multi-stage build process for the C++ programming language. To learn more about the differences between these container images, read our article on Choosing an Container for your Compiled Programs.

Chainguard End-of-Life Grace Period for Containers

Wed, 14 May 2025 08:49:31 +0000

Typically, specific versions of software receive updates on a schedule for a set amount of time. Eventually, though, every version of software will stop receiving support. When project maintainers stop providing updates, it’s known as the End-of-Life (EOL) stage.

It’s recommended that when a software version reaches the EOL phase, users should migrate their projects to a later version, as EOL software is known to accumulate vulnerabilities. However, there are cases where an organization may want to continue using a container image after it has reached end-of-life. This could be because an image reaches EOL before the organization’s release schedule, or perhaps later image versions have one or more issues that prevent the organization from upgrading.

Chainguard Criteria for Determining Whether to Build a Container Image

Mon, 13 Jan 2025 11:07:52 +0200

There are currently over 2,000 Chainguard Containers and that number is always growing as we add more to our expanding catalog.

If you would like a Chainguard Container that is not yet available, or inquire about whether we would build a given container image, Chainguard will endeavor to perform an analysis on the request. Chainguard aims to build new container images that are relevant to our customers and to support broader software security goals. However, it is not always feasible to package and build software. Please note that we have the following general criteria when considering requests.

Kubernetes Policy Enforcement with OPA Gatekeeper

Tue, 02 Sep 2025 10:00:00 +0000

Gatekeeper is an admission controller that enforces policies in Kubernetes clusters. This article describes how it can be leveraged to ensure resources follow best practices related to the use of Chainguard Containers.

Prerequisites

To follow the examples in this guide, you will need the following:

Overview of The Chainguard Factory

Tue, 15 Jul 2025 08:49:31 +0000

Chainguard Factory is the automated build infrastructure that continuously monitors, builds, and updates thousands of open source projects to deliver containers, libraries, and VMs with a strong security posture and the latest patches. This massive automation system tackles one of the industry’s biggest challenges: keeping software dependencies current at scale while maintaining security and compatibility across the entire open source ecosystem.

Using the Chainguard Console to Manage Custom Assembly Resources

Wed, 09 Jul 2025 11:07:52 +0200

Chainguard’s Custom Assembly feature allows you to build customized container images that include only the packages your application needs. This tutorial will walk you through using the Chainguard console’s web interface to manage Custom Assembly resources, including selecting packages, building customized containers, and monitoring build status.

By the end of this guide, you’ll be able to create, customize, and manage your own container images through the Chainguard console, giving you full control over your container dependencies while maintaining Chainguard’s security and compliance standards.

Chainguard Shared Responsibility Model

Thu, 17 Oct 2024 11:07:52 +0200

Chainguard’s mission is to be the safe source for open source. As part of this mission, Chainguard builds all of our packages and images from upstream open source code and delivers the resulting artifacts to our customers. There are three distinct parties involved here: Upstream projects, Chainguard, and Customers; each of these parties share some measure of responsibility across a few dimensions.

This guide is an overview of Chainguard’s Shared Responsibility Model: a framework that outlines the security responsibilities of upstream open source software projects, Chainguard, and its customers. The dimensions of shared responsibility this guide covers are:

Overview of migrating to Chainguard Containers

Mon, 22 Jul 2024 12:56:52 +0000

Chainguard Containers are a collection of container images designed for security and minimalism. Many Chainguard Containers are distroless; they contain only an open-source application and its runtime dependencies. These container images do not even contain a shell or package manager, because fewer dependencies reduce the potential attack surface of images.

By minimizing the number of dependencies and thus reducing their potential attack surface, Chainguard Containers inherently contain few to zero CVEs. Chainguard Containers are rebuilt nightly to ensure they are completely up-to-date and contain all available security patches. With this nightly build approach, our engineering team sometimes fixes vulnerabilities before they’re detected.

How to Set Up Pull Through from Chainguard's Registry to Google Artifact Registry

Mon, 08 Jul 2024 15:56:52 -0700

Organizations can use Chainguard Containers along with third-party software repositories in order to integrate with current workflows as the single source of truth for software artifacts. In this situation, you can set up a proxy repository to function as a mirror of Chainguard’s registry. This mirror can then serve as a pull through cache for your Chainguard Containers.

This tutorial outlines how to set up a remote repository with Google Artifact Registry. It will walk you through how to set up an Artifact Registry Repository you can use as a pull through cache for Chainguard’s Free containers or Production containers originating from a private Chainguard repository.

Migrating to PHP Chainguard Containers

Thu, 04 Apr 2024 15:56:52 -0700

Chainguard’s PHP containers provide enhanced security for PHP applications through minimal, purpose-built images that significantly reduce attack surface. Built on Wolfi, these containers achieve dramatically fewer vulnerabilities compared to traditional PHP images while maintaining full compatibility with PHP workloads. Daily automated builds ensure applications receive the latest security patches without manual intervention.

This article will assist you in the process of migrating your existing PHP Dockerfiles to leverage the benefits of Chainguard Containers, including a smaller attack surface and a more secure application footprint.

Alpine Compatibility

Fri, 23 Feb 2024 15:56:52 -0700

Chainguard Containers and Alpine base images have different binaries and scripts included in their respective busybox and coreutils packages.

The following table lists common tools and their corresponding package(s) in both Wolfi and Alpine distributions.

Note that $PATH locations like /usr/bin or /sbin are not included here. If you have compatibility issues with tools that are included in both busybox and coreutils, be sure to check $PATH order and confirm which version of a tool is being run.

How to Set Up Pull-through from Chainguard's Container Registry to Artifactory

Tue, 13 Feb 2024 15:56:52 -0700

Organizations can route container image pulls through Artifactory to centralize artifact management, enforce policy, and integrate Chainguard Containers into existing CI/CD workflows. You can configure Artifactory as a pull-through cache by setting up a remote repository pointed at Chainguard’s container registry.

This tutorial outlines how to set up remote repositories with JFrog Artifactory. Specifically, it goes over how to set up one repository you can use as a pull-through cache for Chainguard’s public Free Containers and another you can use for Production Containers originating from a private Chainguard repository. It also outlines how you can use one of Artifactory’s virtual repositories as a pull-through cache to access resources from multiple remote repositories in a single location.

Getting Started with the Cilium Chainguard Containers

Thu, 14 Dec 2023 00:00:00 +0000

Chainguard’s Cilium container images provide a security-hardened foundation for Kubernetes networking with significantly reduced vulnerabilities compared to standard Cilium deployments. Cilium leverages eBPF technology to transparently secure network connectivity between services, enabling powerful security policies without application changes. Built on Wolfi OS, Chainguard’s minimal Cilium images enhance your cluster’s security posture while maintaining full compatibility with Cilium’s advanced networking features.

We will demonstrate how to get started with the Chainguard Cilium container images on an example K3s cluster. To get started, you’ll need Docker, k3d (a CLI tool to install k3s), kubectl, and the cilium CLI installed.

Strategies for Minimizing your CVE Risk

Thu, 16 Nov 2023 11:07:52 +0200

Common vulnerabilities and exposures (CVEs) are an increasing concern for developers and organizations, which is why Chainguard developed its minimal container images that reduce the attack surface. A new CVE in a widely-used application or a vulnerability scan with numerous positive results can significantly impact security posture, compliance requirements, and development timelines.

Chances are, your software has already been impacted by a CVE. It’s likely there are active CVEs in software you are using. After all, there are software vulnerabilities currently in existence that haven’t even been discovered (known as zero-day vulnerabilities). With that said, this conceptual article aims to highlight a few practices and strategies you and your team can use to reduce the risk of CVEs on your software. It also includes a section on tools recommended by Chainguard that can help to reduce your attack surface area and minimize your risk of CVEs.

Considerations for Keeping Containers Up to Date

Thu, 05 Oct 2023 11:07:52 +0200

Chainguard rebuilds container images daily to ensure the latest security patches are always included, addressing a critical challenge in container security. While keeping images up-to-date is essential for receiving security updates and new features, updates must be balanced with stability concerns since any code change can potentially introduce breaking changes or impact dependent systems.

Due to the complexity involved in modern containerized applications, there is no one-size-fits-all approach to keeping your container images up to date. With these conflicting approaches in mind, this article will explore how best to keep container images up-to-date.

Debugging distroless container images

Thu, 18 May 2023 08:49:31 +0000

Because distroless images are minimal and don’t include a package manager or a shell, debugging issues that occur at runtime may require a distinctive approach.

In this article, we’ll discuss a few different strategies to debug distroless images.

1. Using development container image variants

Before moving a workload to a distroless runtime image, it is important to make sure that it runs without issues in a similar but less restrictive environment, which allows for easier debugging. It is also possible to make a temporary base image change from a distroless image to a fully featured image that offers more debugging capabilities.

Overview of Assumable Identities in Chainguard

Thu, 04 May 2023 08:48:45 +0000

Both chainctl and the Chainguard Console are useful tools for interacting with Chainguard. However, there may be times that you want to hand off certain administrative tasks to an automation system, like Buildkite or GitHub Actions.

In such cases, you can create a Chainguard identity for these systems to assume, allowing them to perform certain tasks within a specific scope. You can restrict access to an identity so that only workflows that present tokens matching a specific issuer and subject can assume it. Likewise, assumable identities can be tied to certain roles — like viewer, owner, or editor — letting you place strict limits on what a given identity is allowed to do.

Create an Assumable Identity for a GitHub Actions Workflow

Thu, 04 May 2023 08:48:45 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human. For instance, an assumable identity can be used to allow a GitHub Actions workflow to pull images from cgr.dev without a static pull token.

This tutorial outlines how to create an identity, and then create a GitHub Actions workflow that will assume the identity to interact with Chainguard resources.

Using Custom Identity Providers to Authenticate to Chainguard

Mon, 17 Apr 2023 08:48:45 +0000

The Chainguard platform supports Single Sign-on (SSO) authentication for users. By default, users can log in with GitHub, GitLab, and Google, but SSO support allows users to bring their own identity provider for authentication. This is helpful when your organization mandates using a corporate identity provider — like Okta or Azure Active Directory — to authenticate to SaaS products.

Usage

Once an administrator has configured an identity provider and set up their organization, users can authenticate at the command line and in the web console using the identity provider’s organization.

Registry Overview

Tue, 21 Mar 2023 16:36:47 +0000

Chainguard Registry hosts more secure container images with two access tiers: public Free images available to everyone, and production images that require authentication for enterprise features like SLAs and version pinning. The registry integrates with standard container tools while providing enhanced security through signed images and comprehensive metadata.

While all public Chainguard Containers are freely available, logging in with a Chainguard account and authenticating when pulling from the registry provides a mechanism for Chainguard to contact you if there are any current or known upcoming issues with images you are pulling.

Overview of Chainguard Containers

Thu, 01 Sep 2022 08:49:31 +0000

Chainguard Containers are container images designed for enhanced security through minimalism and supply chain integrity. These images follow a distroless philosophy, containing only the application and its essential runtime dependencies, without shells, package managers, or other common utilities that can increase attack surface.

Many Chainguard Containers implement a distroless approach, which means they exclude shells, package managers, and other utilities typically found in container images. This design significantly reduces potential security vulnerabilities. For development and debugging purposes, Chainguard provides -dev variants that include necessary tools while maintaining security best practices. All images are built using Chainguard OS, an operating system specifically designed to meet secure software supply chain requirements.

Verify Signed Chainguard Containers

Wed, 22 Feb 2023 13:11:29 +0829

This guide demonstrates how to use the Sigstore Policy Controller to verify image signatures before admitting an image into a Kubernetes cluster. In this guide, you will create a ClusterImagePolicy that checks for a keyless Cosign image signature, and then test the admission controller by running a signed nginx image.

Prerequisites

To follow along with this guide, you will need the following:

How to Set Up Pull Through from Chainguard's Registry to Amazon ECR

Tue, 31 Mar 2026 00:00:00 +0000

In March 2026, AWS announced support for using Amazon Elastic Container Registry (ECR) as a pull-through cache for Chainguard’s registry. This means you can configure ECR to automatically cache Chainguard container images, reducing your dependency on Chainguard’s registry for production workloads.

For setup and configuration instructions, refer to the official AWS documentation:

Learn More

You can review our Registry Overview to learn more about Chainguard’s registry, or check out our Containers documentation to learn more about Chainguard Containers.

Tips for migrating to Chainguard Containers

Thu, 29 May 2025 12:56:52 +0000

The process of migrating over to Chainguard Containers isn’t always straightforward. To help customers become acquainted with Chainguard Containers as they go through the migration process, we’ve assembled this list of tips and strategies for migrating over their applications.

Use development variants when you need a shell

Chainguard provides development (or -dev) variants of its containers which include a shell and package manager to allow users to more easily debug and modify the image.

FedRAMP Technical Considerations & Risk Factors

Wed, 29 Jan 2025 15:56:52 -0700

Many frequently asked questions revolve around how organizations are meant to stay on top of the changing landscape for FedRAMP, PMOS, Revisions, and Certificates. This article outlines various considerations and risk factors that organizations should keep in mind when working to become and stay FedRAMP authorized.

Important Considerations for PMO Revision Trends

There are a number of things one should keep in mind when analyzing revision trends from the FedRAMP Program Management Office (PMO) — which oversees the development of the FedRAMP program — and the changes in FIPS 140-3. The following are of particular importance:

Kubernetes Policy Enforcement with Kyverno

Fri, 26 Sep 2025 10:00:00 +0000

Kyverno is an admission controller that enforces policies in Kubernetes clusters. This article describes how it can be leveraged to ensure resources follow best practices related to the use of Chainguard Containers.

Prerequisites

To follow the examples in this guide, you will need the following:

Chainguard Factory FAQs

Thu, 17 Jul 2025 08:49:31 +0000

What is the Chainguard Factory?

The Chainguard Factory refers to all the engineering and automation work that goes into building, publishing, and maintaining the software packaged in Chainguard’s products. This includes continuously monitoring, testing, and updating thousands of open source projects that make up Chainguard containers, libraries, and VMs.

Using chainctl to Manage Custom Assembly Resources

Thu, 01 May 2025 11:07:52 +0200

Chainguard’s Custom Assembly is a tool that allows customers to create customized containers with extra packages and annotations added. This enables customers to reduce their risk exposure by creating container images that are tailored to their internal organization and application requirements while still having few-to-zero CVEs.

You can use chainctl, Chainguard’s command-line interface tool, to further customize your Custom Assembly builds and retrieve information about them. This guide provides an overview of the relevant chainctl commands and outlines how you can edit the configuration of Custom Assembly containers, as well as retrieve a list of a customized image’s builds and its build logs.

How End-of-Life Software Accumulates Vulnerabilities

Wed, 04 Dec 2024 11:07:52 +0200

Because it’s no longer being actively maintained, software begins to collect vulnerabilities when it reaches EOL. This problem can become compounded when using container images, as they often come with extra components from underlying base images which are all prone to accruing vulnerabilities. This can lead to images with hundreds of components, each collecting vulnerabilities and forming part of the attack surface.

How to Pull Packages from Chainguard Package Repositories through Artifactory

Thu, 14 Nov 2024 15:56:52 -0700

This tutorial details how to set up remote Alpine package (apk) repositories with JFrog Artifactory, which can provide pull-through caches for Chainguard package repositories. Specifically, this guide walks you through how to set up remote Artifactory repositories to serve as pull-through caches for a Chainguard Private APK Repository as well as Chainguard’s public package repositories. The guide also outlines how to configure a container image build to pull APK packages from these remote repositories using tokens generated by Artifactory.

STIGs for Chainguard Containers

Thu, 13 Jun 2024 15:56:52 -0700

Security Technical Implementation Guides (STIGs) trace their origin to the United States Department of Defense (DoD). They work in two layers. The Defense Information Systems Agency (DISA) publishes Security Requirements Guides (SRGs) — category-level security baselines covering technology types such as databases, web servers, or general purpose operating systems, written without vendor participation. Vendors then collaborate with DISA to produce a product-specific STIG — a formally reviewed configuration guide for a particular product, derived from the relevant SRG. If an organization runs software like MySQL 8.0 in a DoD environment, it must be configured to meet that product’s STIG. Beyond the DoD, compliance frameworks such as FedRAMP and CMMC have come to recognize STIGs as accepted security baselines.

Migrating to Node.js Chainguard Containers

Thu, 09 May 2024 15:56:52 -0700

Chainguard’s Node.js containers offer a streamlined migration path for applications seeking enhanced security posture through minimal, distroless design. Built on Wolfi, these containers significantly reduce attack surface compared to traditional Node.js images, resulting in fewer vulnerabilities and smaller image sizes. Daily automated builds ensure your applications always have the latest security patches without manual intervention.

What is Distroless?

Distroless container images are minimal container images containing only essential software required to build or execute an application. That means no package manager, no shell, and no bloat from software that only makes sense on bare metal servers.

What is Wolfi OS?

Wolfi is a community Linux undistro created specifically for containers. This brings distroless to a new level, including additional features targeted at securing the software supply chain of your application environment: comprehensive SBOMs, signatures, daily updates, and timely CVE fixes.

What are multi-stage builds?

Multi-stage builds are a Docker feature that allow you to use multiple FROM statements in a single Dockerfile, where each statement begins a new build stage. In a typical pattern, an early stage uses a full-featured builder image to compile code or generate artifacts, while a later stage uses a minimal runtime image and copies in only what's needed to run the application. Only what you explicitly copy from one stage carries forward — everything else is discarded when that stage completes.

How to Port a Sample Application to Chainguard Containers

Wed, 10 Apr 2024 12:56:52 +0000

Porting Key Points

Chainguard’s distroless Containers have no shell or package manager by default. This is great for security, but sometimes you need these things, especially in builder images. For those cases we have -dev variants (such as cgr.dev/chainguard/python:latest-dev) which do include a shell and package manager.
Chainguard Containers typically don’t run as root, so a USER root statement may be required before installing software. This should be a temporary escalation only; after completing any root-level operations, you should create and switch to a dedicated non-root user (for example, using addgroup and adduser) or use the image’s built-in non-root user. Leaving the container running as root defeats the security purpose of using minimal images.
The -dev variants and wolfi-base / chainguard-base use BusyBox by default, so any groupadd or useradd commands will need to be ported to addgroup and adduser.
The Free tier of Containers provides :latest and :latest-dev versions. Our paid Production Containers offer tags for major and minor versions.
We use apk tooling, so apt install commands will become apk add.
Chainguard Containers are based on glibc and our packages cannot be mixed with Alpine packages.
In some cases, the entrypoint in Chainguard Containers can be different from equivalent container images based on other distros, which can lead to unexpected behavior. You should always check the image’s specific documentation to understand how the entrypoint works.
When needed, Chainguard recommends using a Base Container like chainguard-base or a -dev variant to install an application’s OS-level dependencies.
Although -dev variants are still more secure than most popular container images based on other distros, for increased security on production environments we recommend combining them with a distroless variant in a multi-stage build.

The Sample Application

The application in question is identidock. This application was written for the book Using Docker about ten years ago, which shows that we can still migrate software of this age to a new container while realizing the benefits of a no-to-low CVE count. The application itself will create identicons for a user name, similar to what GitHub generates for users with no avatar. It was designed at the time to demonstrate a “microservices” approach, and as such it’s made up of 3 services:

Getting Started with Distroless Container Images

Thu, 21 Mar 2024 08:49:31 +0000

About Distroless Container Images

Distroless container images, like the ones built by Chainguard, are a type of container image designed to include only essential software required to run an application or service. Unlike traditional images based on Debian or Ubuntu — which include package managers, utilities, and shells — Chainguard’s distroless images remove these components to significantly reduce attack surface and minimize vulnerabilities.

Debian compatibility

Thu, 08 Feb 2024 15:56:52 -0700

Chainguard Containers and Debian base images have different binaries and scripts included in their respective busybox and coreutils packages.

The following table lists common tools and their corresponding package(s) in both Wolfi and Debian distributions.

Debugging Distroless Containers with Docker Debug

Fri, 26 Jan 2024 01:21:01 +0000

Tools used in this video

Docker Desktop (Note a paid subscription is required.)

Transcript

Hey folks, I wanted to record a short video explaining how you can debug container images, even distroless ones.

How to Use Chainguard Security Advisories

Wed, 27 Dec 2023 11:07:52 +0200

When using scanners such as Grype or Docker Scout to scan for vulnerabilities in Chainguard Containers, you’ll often find that there are few or no CVEs present. However, CVEs can sometimes be found in Chainguard Containers, and you may also encounter CVEs if you’re using older tags. In these cases, you will likely wish to check Chainguard’s security advisories for information on which CVEs will cause security issues in your deployment.

To help demystify the nature of CVEs within Chainguard Containers, we’ve created a self-service Security Advisories page that lists every security advisory published for Chainguard Containers. Having this information available allows you to view whether Chainguard is aware of a specific vulnerability reported to exist within a Chainguard Container and whether we’ve mitigated or are planning to mitigate the CVE.

Chainguard Containers Network Requirements

Fri, 08 Sep 2023 08:49:31 +0000

This document provides an overview of network requirements for using Chainguard Containers. To use Chainguard tools and Containers in environments with firewalls, VPNs, and IDS/IPS systems, you will need to add some rules to allow traffic into and out of your networks.

Chainguard Containers do not call Chainguard services while running, so no network changes would be required to the runtime environment. Review the Notes column for more info on each Hostname.

Create an Assumable Identity for a GitLab CI/CD Pipeline

Wed, 28 Jun 2023 08:48:45 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines two methods for how to create a Chainguard identity: chainctl and Terraform. It then walks through how to create a GitLab CI/CD pipeline that will assume the identity to interact with Chainguard resources.

Prerequisites

To complete this guide, you will need the following.

How To Integrate Okta SSO with Chainguard

Mon, 17 Apr 2023 08:48:45 +0000

The Chainguard platform supports Single sign-on (SSO) authentication for users. By default, users can log in with GitHub, GitLab and Google, but SSO support allows users to bring their own identity provider for authentication.

This guide outlines how to create an Okta application and integrate it with Chainguard. After completing this guide, you’ll be able to log in to Chainguard using Okta and will no longer be limited to the default SSO options.

Getting Started with the Go Chainguard Container

Tue, 28 Feb 2023 11:07:52 +0200

Chainguard’s Go container image provides a secure foundation for building Go applications with significantly fewer vulnerabilities than traditional Go images. The distroless latest variant contains only the Go compiler and runtime, while the latest-dev variant includes additional build tools and package management capabilities for development workflows.

In this guide, we’ll demonstrate how to build and execute Go applications using Chainguard Containers, using three examples from our demos repository. In the first example, we’ll build a CLI application using a Docker multi-stage build. In the second example, we’ll build an application that’s accessible by HTTP server, also using a Docker multi-stage build to obtain an optimized runtime. The third example shows how to build an image using ko, a tool that enables you to build container images from Go programs and push them to container registries without requiring a Dockerfile.

How to Use Chainguard Containers

Thu, 01 Sep 2022 08:49:31 +0000

Chainguard Containers are minimal container images designed to reduce vulnerabilities and attack surface compared to traditional base images. These images use the apk package format to achieve smaller sizes while maintaining complete provenance information with cryptographic signatures, ensuring both enhanced security and traceability.

In this guide, you’ll find general instructions on how to get started using Chainguard Containers and how to migrate existing container-based workflows to use our images. For specific image usage instructions, please refer to our Chainguard Containers Directory, which contains the full list of all images available to the public and their respective documentation.

Create an Assumable Identity to Authenticate from Azure

Fri, 15 May 2026 00:00:00 +0000

Note: If you’re authenticating from a workload running in Azure Kubernetes Service (AKS), refer to the Kubernetes identity guide instead.

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines how to create an identity that can be assumed by an Azure workload — such as a VM, Container App, or Function — using an Azure managed identity and then used to interact with the Chainguard API.

Using GitOps to Manage Custom Assembly Resources

Thu, 29 Jan 2026 11:07:52 +0200

Chainguard’s Custom Assembly is a tool that allows customers to create customized container images with extra packages and annotations added. This enables customers to reduce their risk exposure by creating container images that are tailored to their internal organization and application requirements while still having few-to-zero CVEs. It can be managed in the Chainguard Console, with chainctl, with the API, or via CI/CD.

This guide shows how to use Chainguard Custom Assembly as code via CI/CD, storing your configuration in Git and using automation to apply changes and trigger builds. The examples in this guide focus on GitHub Actions, as seen in Chainguard’s custom-assembly-as-code demo repository.

Create an Assumable Identity to Authenticate from AWS

Mon, 05 Jan 2026 09:00:00 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to access Chainguard resources or perform certain actions.

This tutorial outlines how to create a Chainguard identity that can be assumed by an AWS IAM user or IAM role using AWS IAM outbound identity federation.

Prerequisites

To complete this guide, outbound identity federation must be enabled for your AWS account. Follow the official AWS documentation to set this up.

Create an Assumable Identity to Authenticate from AWS (Legacy)

Fri, 28 Nov 2025 16:00:00 +0000

Note: This page describes a custom implementation of assumable identities for AWS that was developed before AWS natively supported issuing OIDC tokens with IAM outbound identity federation. If possible, you should follow the instructions on this page instead.

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to access Chainguard resources or perform certain actions.

This tutorial outlines how to create a Chainguard identity that can be assumed by an AWS user or IAM role and used to authorize requests from AWS services and workloads hosted on platforms like EC2, ECS, Lambda, and EKS.

Create an Assumable Identity for a Kubernetes Pod

Thu, 07 Aug 2025 13:00:00 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines how to create an identity that can be assumed by a Kubernetes pod and then used to interact with the Chainguard API.

Prerequisites

To complete this guide, you will need the following.

Requesting New Chainguard Resources

Thu, 26 Feb 2026 11:07:52 +0200

The Chainguard Console includes the Requests section where customers can submit and track requests for resources that Chainguard doesn’t currently offer. This improves transparency around which technologies Chainguard is working to build and helps minimize duplicate build requests.

This guide provides an overview of how to submit a request for a new resource to Chainguard, as well as the limitations on what resources can be built.

Note: The Requests section is in beta.

How to Sync Images from Chainguard's Registry to Harbor

Tue, 19 Aug 2025 12:00:00 +0000

Harbor is an open-source artifact registry. It’s designed to securely store, manage, and distribute OCI artifacts, including container images and Helm charts by enforcing policies like vulnerability scanning, image signing, and role-based access control. Harbor delivers enterprise-grade compliance, performance, and interoperability across platforms like Kubernetes and Docker, all accessible via a web UI or RESTful API.

This tutorial outlines how to sync images from Chainguard’s registry to a Harbor instance. It describes two approaches:

Using the Chainguard API to Manage Custom Assembly Resources

Thu, 01 May 2025 11:07:52 +0200

Chainguard’s Custom Assembly is a tool that allows customers to create customized containers with extra packages added. This enables customers to reduce their risk exposure by creating container images that are tailored to their internal organization and application requirements while still having few-to-zero CVEs.

You can use the Chainguard API to further customize your Custom Assembly builds and retrieve information about them. This tutorial highlights a demo application (which can be found in Chainguard Academy’s Demo Applications repository) which, when run, updates a Custom Assembly container’s configuration based on a provided YAML file.

Strategies and Tooling for Updating Containers

Mon, 02 Dec 2024 11:07:52 +0200

When it comes to keeping a system secure, one of the most important measures you can take is to regularly apply updates. In modern, containerized infrastructures, this normally means updating containers to use only the latest container images that are still maintained. A casual observer might expect such a standard and important task to have agreed-on best practices and standardized tooling, but they might be surprised by the wide variety of different solutions and opinions on this problem.

Debugging Distroless Container Images with Kubectl Debug and CDebug

Tue, 21 May 2024 15:21:01 +0000

Tools used in this video

Transcript

So a while back I did a video on using Docker Debug to debug distroless containers.

How to Set Up Pull Through from Chainguard's Registry to Nexus

Thu, 28 Mar 2024 15:56:52 -0700

This tutorial outlines how to set up a repository with Sonatype Nexus. Specifically, it will walk you through how to set up one repository you can use as a pull through cache for Chainguard’s Free containers or for Production containers originating from a private Chainguard repository.

Migrating Dockerfiles to Chainguard Containers

Mon, 25 Mar 2024 15:56:52 -0700

Chainguard Containers provide enhanced security through minimal design and built-in provenance attestation, requiring some adjustments when migrating from traditional base images. Built on the Wolfi Linux distribution, these images offer compatibility with most applications while significantly reducing attack surface and vulnerabilities.

A general migration process would involve the following steps:

Identify the base image you need. Check out the Chainguard Containers Directory to identify the image that is the closest match to what you currently use. You may also use wolfi-base as a flexible starting point for your experimentation.
Try the -dev variant of the image first. Chainguard Containers typically have a distroless variant, which is very minimal and doesn’t include apk, and a dev variant that contains tooling necessary to build applications and install new packages. Start with the dev variant or the wolfi-base image to have more room for customization.
Identify packages you need to install. Depending on your current base image, you may need to include additional packages to meet dependencies. Refer to the Searching for Packages section for more details on how to find packages. Make sure the packages you intend to install will work with the base image you select — for example, if you select an older base image built with an older release of glibc and want to install newer packages built with a newer release, you will encounter problems. It’s a good rule of thumb to use the newest base image you can with the newest packages that match the build.
Migrate to a distroless image. Evaluate the option of using a Docker multi-stage build to create a final distroless image containing only what you need. Check the Getting Started with Distroless images for more details of how to work with distroless images. Although not required, this process should give you a smaller image with additional safeguards.

There are some differences in Wolfi’s busybox and coreutils packages when compared to their counterparts in distros such as Debian or even Alpine. Some binaries and scripts are not included by default, which contributes to a smaller package size. This was done in order to keep images to a minimum, but be aware that some commands might still be available through separate packages.

How Chainguard Containers are Tested

Thu, 21 Mar 2024 11:07:52 +0200

Chainguard Containers are minimal, distroless container images that you can use to build and run secure applications. Given the importance of secure, highly performant images, Chainguard performs testing to ensure our container images match the functionality of upstream and other external counterparts.

This article provides a high-level overview of Chainguard’s approach to testing when building new container images to ensure their security and consistency with comparable container images.

Build requirements for new container images

Chainguard has a set of requirements in place that new container images must meet in order to be included in our Containers Directory. These requirements fall into two categories:

Ubuntu Compatibility

Fri, 23 Feb 2024 15:56:52 -0700

Chainguard Containers and Ubuntu base images have different binaries and scripts included in their respective busybox and coreutils packages.

The following table lists common tools and their corresponding package(s) in both Wolfi and Ubuntu distributions.

Getting Started with the Chainguard Istio Containers

Thu, 14 Dec 2023 00:00:00 +0000

Chainguard’s Istio container images provide a security-hardened foundation for service mesh deployments with significantly reduced vulnerabilities compared to standard Istio images. Istio extends Kubernetes to establish a programmable, application-aware network using the Envoy service proxy, bringing traffic management, telemetry, and security to complex deployments. Built on Wolfi OS, Chainguard’s minimal Istio images maintain full compatibility while enhancing security posture.

We will demonstrate how to get started with the Chainguard Istio container images on an example kind cluster. To get started, you’ll need Docker, kind, kubectl, and istioctl installed. If you are missing any, you can follow the relevant link to get started.

Create an Assumable Identity for a Buildkite Pipeline

Wed, 17 May 2023 08:48:45 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This tutorial outlines how to create an identity using Terraform, and then how to update a Buildkite pipeline so that it can assume the identity and interact with Chainguard resources.

Prerequisites

To complete this guide, you must have the following in place:

How To Integrate Ping Identity SSO with Chainguard

Mon, 17 Apr 2023 08:48:45 +0000

This guide outlines how to create a Ping Identity Application and integrate it with Chainguard. After completing this guide, you’ll be able to log in to Chainguard using Ping and will no longer be limited to the default SSO options.

Adding Custom Certificates with Custom Assembly

Thu, 12 Mar 2026 11:07:52 +0200

Many enterprise environments use internal certificate authorities (CAs) to issue certificates for internal services. These custom certificates need to be trusted by containers that communicate with the internal services. Custom Assembly allows you to build custom certificates directly into your container images, ensuring they trust your organization’s internal services without requiring manual certificate mounting at runtime.

Note: If you are looking for a way to embed certificates at build time, refer to our guide on How To Use incert to Create Container Images with Built-in Custom Certificates.

What does the Chainguard Factory build?

Sat, 02 Aug 2025 16:00:00 +0000

Transcript

Interviewer: So Dustin, what does the Factory actually build every day?

How To Integrate Keycloak with Chainguard

Fri, 04 Apr 2025 00:00:00 +0000

By default, the Chainguard platform supports Single sign-on (SSO) authentication for users with GitHub, GitLab, and Google.

This guide outlines how to create a Keycloak Client on your existing Keycloak instance and integrate it with Chainguard. After completing this guide, you’ll be able to log in to Chainguard using Keycloak and will no longer be limited to the default SSO options.

Prerequisites

To complete this guide, you will need the following:

Chainguard's container variants

Fri, 01 Nov 2024 07:52:00 +0200

Chainguard Containers follow a distroless philosophy, meaning that only software absolutely necessary for a specific workload is included in an image. Designed to be as minimal as possible, Chainguard’s standard container images do not contain package managers such as apk, shells such as b/a/sh, or development utilities such as Git or text editors. However, this distroless approach isn’t suitable for every use case. For this reason, most Chainguard Containers have what’s called a development variant.

How Chainguard Issues Security Advisories

Fri, 26 Jul 2024 18:09:12 +0000

When you scan a newly-built Chainguard Container with a vulnerability scanner, typically, no CVEs will be reported. However, as software packages age, more vulnerabilities are reported and CVEs will begin to accumulate in container images. When this happens, Chainguard releases security advisories to communicate these vulnerabilities to downstream images users.

Note: Advisory timestamps represent when updates are made to the advisory page, not when they were first detected and triaged by Chainguard.

How to Set Up Pull Through from Chainguard's Registry to Cloudsmith

Tue, 16 Jul 2024 15:56:52 -0700

Organizations often have their own internal software repositories and registries integrated into their systems. This guide explains how to set up the Cloudsmith artifact repository to ingest Chainguard Containers by acting as a pull-through cache.

This tutorial outlines how to set up a remote repository with Cloudsmith. It will walk you through how to set up a Cloudsmith repository you can use as a pull through cache for Chainguard’s Free containers or for Production containers originating from a private Chainguard repository.

Getting Started with the Laravel Chainguard Container

Fri, 17 May 2024 11:07:52 +0200

Chainguard’s Laravel container image provides a secure foundation for Laravel applications with minimal vulnerabilities compared to traditional PHP images. This specialized image includes all necessary PHP extensions and tooling for Laravel development while maintaining Chainguard’s security-first approach, enabling developers to build complex applications without compromising on security.

In this guide, we’ll set up a demo and demonstrate how you can use Chainguard Containers to develop, build, and run Laravel applications.

This tutorial requires Docker to be installed on your local machine. If you don’t have Docker installed, you can download and install it from the official Docker website.

Migrating to Python Chainguard Containers

Thu, 02 May 2024 15:06:00 -0700

Chainguard’s Python containers provide a migration path to significantly reduce vulnerabilities in Python applications while maintaining full compatibility with existing workloads. This guide explains how to migrate your containerized Python applications to benefit from Chainguard’s enhanced security posture and daily updates.

Chainguard Containers are built on Wolfi, a distroless Linux distribution designed for security and a reduced attack surface. Chainguard Containers are smaller and have low to no CVE. Our Chainguard Containers for Python are built nightly for extra freshness, so they’re always up-to-date with the latest remediations.

Red Hat UBI Compatibility

Fri, 23 Feb 2024 15:56:52 -0700

Chainguard Containers and Red Hat UBI base images have different binaries and scripts included in their respective busybox and coreutils packages. Note that Red Hat UBI images by default do not have a busybox package.

The following table lists common tools and their corresponding package(s) in both Wolfi and Red Hat distributions.

Using the Chainguard Console

Fri, 23 Feb 2024 11:07:52 +0200

This guide serves as a walkthrough of the Chainguard Console, which is accessible to anyone, but you’ll first need to create an account and log in.

If you’re not ready to create a Chainguard account, you can follow along with the public Chainguard Directory which offers similar information, but is only informative as it is not connected to your organization or account. If you use the Sign In link in the directory, it brings you to the console.

Chainguard FIPS Containers

Thu, 08 Feb 2024 15:56:52 -0700

What is FIPS?

Federal Information Processing Standards (FIPS) are standards developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA). FIPS compliance ensures that cryptographic security services within applications meet strict security and integrity standards, and are implemented and configured correctly.

Using Renovate with Chainguard Containers

Tue, 05 Sep 2023 11:07:52 +0200

Renovate can be used to alert on updates to Chainguard Containers. This can be an effective way to keep your images up-to-date and free of CVEs. This article explains how to configure Renovate to support Chainguard Containers.

NOTE: This article describes using Renovate to alert on new versions of Chainguard Containers. It is not about alerts for Wolfi packages (which is unsupported at the time of writing).

Prerequisites

This guide assumes you have successfully installed and configured Renovate. If you haven’t already set this up, please refer to the installation instructions.

Using the Tag History API

Fri, 26 May 2023 08:49:31 +0000

Chainguard Containers have automated nightly builds, which ensures our container images are always fresh including any recent patches and updated software. Even though it is important to keep your base images always updated, there will be situations where you’ll want to keep using an older build to make sure nothing will change in your container environment until you feel it’s safe to update.

For cases like this, it is useful to point your Dockerfile to use a specific container image digest as base image.

Create an Assumable Identity for a Bitbucket Pipeline

Wed, 17 May 2023 08:48:45 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines how to create an identity using Terraform, and then how to update a Bitbucket pipeline so that it can assume the identity and interact with Chainguard resources.

Prerequisites

To complete this guide, you will need the following.

How To Integrate Microsoft Entra ID SSO with Chainguard

Mon, 17 Apr 2023 08:48:45 +0000

This guide outlines how to create a Microsoft Entra ID (formerly Azure Active Directory) application and integrate it with Chainguard. After completing this guide, you’ll be able to log in to Chainguard using Entra ID and will no longer be limited to the default SSO options.

Migrating to .NET Chainguard Containers

Wed, 05 Nov 2025 00:00:00 +0000

Chainguard’s .NET container images provide a security-hardened foundation for building and running applications with significantly fewer vulnerabilities than .NET images provided by Microsoft. Chainguard’s .NET container images maintain full .NET compatibility while dramatically reducing the attack surface.

This guide demonstrates migrating a .NET application from Microsoft’s official images to Chainguard’s .NET container images by comparing two nearly identical versions of an application side-by-side. This guide also highlights concrete examples of the security improvements resulting from migrating to Chainguard Containers.

Use chainctl to Create an Assumable Identity for a Jenkins Pipeline

Sun, 07 Sep 2025 08:48:45 +0000

Jenkins is an open source automation server that supports building, deploying, and automating projects.

This guide explains how to use chainctl to create an assumable identity and configure Jenkins to use that identity to authenticate to Chainguard. To accomplish this, create an OIDC token credential in Jenkins and a matching Chainguard identity that uses the Jenkins OIDC URL, then put the process into an example Jenkins build pipeline.

To do this using Terraform, follow the instructions in Use Terraform to Create an Assumable Identity for a Jenkins Pipeline.

Using CVE Visualizations

Thu, 19 Dec 2024 11:07:52 +0200

Chainguard provides CVE Visualizations for all of its container images. This feature creates reports with CVE comparisons between Chainguard Containers and popular alternatives, as well as historical CVE remediation metrics. CVE Visualizations provide insight into image health and can help teams measure the engineering, security, and economic benefits gained from using Chainguard Containers.

This guide outlines how you can access a container image’s CVE Visualization in both the Chainguard Console and in the Containers Directory.

Chainguard Containers Product Release Lifecycle

Mon, 08 Jan 2024 08:49:31 +0000

Chainguard Containers are able to offer few-to-zero known vulnerabilities because they are updated frequently. Because of this continuous release cycle, the best way to mitigate vulnerabilities is to use the newest build of each Chainguard Container available. Chainguard keeps Containers up to date by doing one or more of the following:

Applying new releases from upstream projects
Rapidly applying upstream patches to current releases — you can read more about this in our blog post, “How Chainguard fixes vulnerabilities before they’re detected”
Applying Chainguard patches to OSS software

Upstream projects are updated frequently for many reasons, including to combat CVEs, and Chainguard ensures that the most up-to-date software is available in all Chainguard Containers. Additionally, Chainguard often identifies CVEs and other issues before scanners can detect them, so Chainguard may offer a patch to a vulnerable dependency to support Chainguard Containers with few-to-zero vulnerabilities.

Getting Started with the MariaDB Chainguard Container

Fri, 28 Jul 2023 11:07:52 +0200

Chainguard’s MariaDB container image provides a security-hardened foundation for database workloads with significantly fewer vulnerabilities than traditional MariaDB images. Built on Wolfi with a distroless design, this container removes unnecessary components while maintaining full MariaDB functionality.

Through daily rebuilds with the latest patches and minimal dependencies, Chainguard’s MariaDB image dramatically reduces your database’s attack surface. This enables you to run production MariaDB databases with enhanced security posture and a smaller container footprint.

Understanding Chainguard's Container Image Categories

Thu, 03 Apr 2025 11:07:52 +0200

Chainguard Containers are a collection of curated, distroless container images designed with a focus on software supply chain security. Chainguard’s container images are designed to be slim runtimes for production environments, emphasizing security and efficiency by removing unnecessary elements. Additionally, the images are designed to be easily integrated into existing workflows, helping organizations to build better, more secure software.

Within the Chainguard Containers Directory, Chainguard Containers are organized into five general categories (with some falling into multiple categories):

The Guardener

Mon, 30 Mar 2026 00:00:00 +0000

The Guardener migrates your Dockerfiles to use Chainguard Containers. It uses AI to iteratively convert instructions, build images, compare results, and fix issues until the Dockerfile works as expected.

You interact with it through chainctl agent dockerfile commands. The AI runs server-side and scans your workspace to perform its analysis. Docker builds and file access remain local to your machine, and only the data necessary for analysis is processed.

Note: The Guardener is in beta.

Use Terraform to Create an Assumable Identity for a Jenkins Pipeline

Sun, 07 Sep 2025 08:48:45 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines how to create an identity using Terraform, and then how to update a Jenkins pipeline so that it can assume the identity and interact with Chainguard resources. If you would like to follow this guide using chainctl, Chainguard’s command line tool, you can review Use chainctl to Create an Assumable Identity for a Jenkins Pipeline.

How to Use Chainguard Notifications

Fri, 11 Jul 2025 08:49:31 +0000

You can use the Chainguard Console to configure how Chainguard is permitted to send notifications about things like breaking changes to users in your organization. The feature includes options to allow notifications to be sent in-app to the Activity Center on the user’s Overview page in the Chainguard Console, via Slack, and for customers who are opted in, via email.

These notifications are different from Chainguard Events as Chainguard Notifications are sent by Chainguard’s customer success representatives.

Using wolfictl to Manage Security Advisories

Mon, 05 Aug 2024 20:23:51 +0000

Note: This document is deprecated as of June 2025.

Chainguard operates its own Security Advisories page to alert users about the status of vulnerabilities found in Chainguard Containers. To maintain this database, we use wolfictl, a tool developed for working with the Wolfi un-distro.

In this guide, you will walk through using wolfictl to create an advisory for a vulnerable package. You’ll also learn how to update this advisory as more information about the vulnerability is disclosed over time. To follow along, you will need to have git and the Go programming language installed on your machine.

Getting Started with the NeMo Chainguard Container

Thu, 16 May 2024 08:00:00 +0200

Chainguard’s NeMo container image provides a security-hardened environment for NVIDIA’s NeMo deep learning framework with minimal vulnerabilities compared to traditional AI/ML containers. NeMo enables building conversational AI models through module collections for Automatic Speech Recognition (ASR), Natural Language Processing (NLP), and Text-to-Speech (TTS) tasks. Built for CUDA 12 GPU acceleration, this lightweight container maintains full NeMo functionality while significantly reducing security risks for both training and production inference workloads.

What is Deep Learning?

Deep learning is a subset of machine learning that leverages a flexible computational architecture, the neural network, to address a wide variety of tasks. Neural networks emulate the structure of the brain and consist of interconnected nodes (neurons) that each contain an associated weight and threshold. In concert with an activation function, these values determine whether data is propagated within the network, producing an output layer corresponding to a classification, regression, or other result.

How To Use incert to Create Container Images with Built-in Custom Certificates

Mon, 03 Jul 2023 11:07:52 +0200

NOTE: If you are looking for a way to add certificates to existing Chainguard images, check out our doc on adding custom certificates with Custom Assembly.

In many enterprise settings, an organization will have its own certificate authority which it uses to issue certificates for its internal services. This is often for security or control reasons but could also be related to regulatory requirements.

If you’re using a container that needs to communicate with your organization’s services and your organization has its own certificate authority, you’ll need to add a valid certificate into your container. One way to do this is to mount the certificate as a volume at runtime. This works, but it means that everyone who uses the container has to go through the process of mounting the certificate.

Overview of Chainguard EKS Add-ons

Fri, 10 Apr 2026 00:00:00 +0000

Chainguard EKS add-ons are hardened, minimal container images for the foundational software components that power Amazon Elastic Kubernetes Service (EKS) clusters. Available through AWS Marketplace, they serve as FIPS-validated drop-in replacements for AWS default add-ons, providing zero known CVEs and FIPS 140-3 validated cryptography without requiring custom image builds or manifest overrides.

What are EKS add-ons?

Amazon EKS add-ons are software components that provide supporting operational capabilities to Kubernetes applications — things like networking drivers, storage integrations, and observability agents that allow the cluster to interact with underlying AWS resources, but aren’t specific to any application running on it.

Dockerfile Converter

Tue, 18 Mar 2025 15:22:20 +0100

Chainguard’s Dockerfile Converter (dfc) was designed to facilitate the process of porting existing Dockerfiles to use Chainguard Containers. The following platforms are currently supported:

Alpine (apk)
Debian / Ubuntu (apt, apt-get)
Fedora / RedHat / UBI (yum, dnf, microdnf)

Note: If you prefer a fully automated approach, The Guardener is an AI-powered agent that can migrate, optimize, and validate your Dockerfiles with minimal manual intervention.

Installation

If you use Homebrew, you can install dfc with:

How Chainguard Creates Container Images with Low-to-No CVEs

Fri, 31 May 2024 12:21:01 +0000

Tools and resources used in this video

Note: In November 2024, after this article was first written, Chainguard made changes to its free tier of container images. In order to access the non-free container images used in this guide, you will need to be part of an organization that has access to them. For a full list of container images that will remain in Chainguard's free tier, please refer to this support page.

Unique Tags for Chainguard Containers

Thu, 29 Feb 2024 08:49:31 +0000

Chainguard’s Unique Tags feature provides unique timestamped tags for every container image build, addressing enterprise requirements for precise version tracking and automated deployment workflows. Many organizations rely on distinct tags to trigger automated deployments and maintain audit trails, making traditional floating tags like ’latest’ unsuitable for production use.

To help with cases like this, Chainguard offers Unique Tags for private registries. Unique Tags are ideal for organizations that require a strict tag per release or update of their images. They benefit teams looking for precise tracking and management of container images.

Getting Started with the nginx Chainguard Container

Mon, 09 Jan 2023 11:07:52 +0200

Chainguard’s nginx container images provide a security-hardened foundation for web server deployments with significantly fewer vulnerabilities than traditional nginx images. Available in both development (:latest-dev) and production (:latest) variants, these containers maintain full nginx functionality while dramatically reducing attack surface. The production variant uses a distroless approach, removing shells and package managers to enhance security for production workloads.

In this tutorial, we will create a local demo website using nginx to serve static HTML content to a local port on your machine. Then we will use the nginx Chainguard Container to build and execute the demo in a lightweight containerized environment.

Migration best practices and checklist

Mon, 03 Feb 2025 10:42:57 +0000

Chainguard container images are designed to be minimal and to include special features for increased security and provenance attestation. Depending on your current base image and customizations, you may need to make some adjustments when migrating your current workloads to use Chainguard Containers. This checklist provides a high-level overview of the steps you should consider when migrating to Chainguard Containers.

Download the PDF version of this checklist here!

Important to know

Most Chainguard Containers don’t have a package manager or a shell by default. These are distroless images intended to be used as slim runtimes for production environments.
For every version of an image, a complimentary standard image is provided with a shell and the apk package manager. These are identified by the -dev suffix and can be customized.
When possible, we recommend using multistage builds that combine a build stage based on a -dev variant and a runtime stage based on a distroless image.
Chainguard Containers typically don’t run as root, so a USER root statement may be required before installing software.
Chainguard Containers are based on apk. If you’re coming from Debian or Ubuntu you’ll need to replace apt commands with their apk equivalents. This also applies for other distros that are not based on apk.
Some images may behave differently than their equivalent in other distros, due to differences in entrypoint and shell availability. Always check the image documentation for usage details.
For a number of our most popular Containers, a full variant (tagged -full) maps to the upstream image to ease initial migration. It’s a useful starting point if your pipeline depends on packages from your previous image, though we recommend moving to a slimmer variant once you’ve migrated. See Full container variants.

Migration checklist

Check the image’s overview page on the Containers Directory for usage details and any compatibility remarks.
Replace your current base image with a standard -dev (such as latest-dev) variant as a starting point.
Add a USER root statement before package installations or other commands that must run as an administrative user.
Replace any instances of apt install (or equivalent) with apk add.
Use apk search on a running container or the APK Explorer tool to identify packages you need – some commands might be available with different names or bundled with different packages.
When copying application files to the image, make sure proper permissions are set.
Switch back to a non-root user so that the image does not run as root by default.
Build and test your image to validate your setup.
Optional: migrate your setup to a multi-stage build that uses a distroless image variant as runtime. Our Getting Started with Distroless guide has detailed information on how to work with distroless images and multi-stage builds.

For detailed migration guidance, please refer to our Migration Docs on Chainguard Academy. For troubleshooting, check our Debugging distroless containers resource.

Create an Assumable Identity for a CLI session authenticated with Keycloak

Tue, 26 Mar 2024 08:48:45 +0000

Chainguard’s assumable identities are identities that can be assumed by external applications or workflows in order to perform certain tasks that would otherwise have to be done by a human.

This procedural tutorial outlines how to create an identity using Terraform, and then assume the identity with the CLI to interact with Chainguard resources.

Prerequisites

To complete this guide, you will need the following.

Using the Chainguard Directory

Fri, 23 Feb 2024 11:07:52 +0200

There are hundreds of Chainguard Containers available for use. To help users explore and better understand all of these container images, we’ve developed the Chainguard Directory. This is a free to access web portal that does not require signing in from which you can view information about container images in the Chainguard catalog. This is great for quick searches or while exploring Chainguard’s offerings.

If you want more specific information about what is available to your organization, take a look at the Chainguard Console. You’ll first need to create an account and log in but there you can interact in a clearer, organization-specific way. If you use the Sign In link in the directory, it brings you to the console. Learn more about the Chainguard Console in the related docs page.

Getting Started with the Node Chainguard Container

Wed, 01 Feb 2023 11:07:52 +0200

Chainguard’s Node container image provides a secure runtime for Node.js applications with significantly fewer vulnerabilities than traditional Node images. This distroless image includes Node.js and npm while maintaining a minimal attack surface for production deployments.

In this guide, we’ll set up a demo application and create a Dockerfile to build and execute the demo using the Node Chainguard Containers as base.

This tutorial requires Docker, Node, and Npm to be installed on your local machine.

Verify that Chainguard FIPS Containers are Configured to Use FIPS Modules

Sun, 23 Nov 2025 08:04:00 +0000

Chainguard offers hundreds of FIPS container image variants covering language runtimes (Go, Java, Python, Node.js, .NET, PHP, C/C++), databases, web servers, and Kubernetes components. These images use NIST-validated cryptographic modules including the OpenSSL FIPS provider, Bouncy Castle FIPS, and BoringCrypto. Refer to Chainguard’s FIPS Commitment for a full list of the modules used in Chainguard FIPS Images, as well as their respective CMVP certificates and SBOM indicators.

This guide outlines how to verify that Chainguard’s FIPS images are properly configured to use these FIPS modules.

How To Compare Chainguard Containers with chainctl

Wed, 30 Aug 2023 11:07:52 +0200

Chainguard’s chainctl images diff command provides detailed comparisons between container image versions, enabling you to track security improvements, package updates, and vulnerability changes across builds. This powerful feature helps you understand exactly what changes between image versions, whether comparing daily builds, analyzing CVE remediation, or evaluating custom image updates.

The chainctl diff functionality supports informed deployment decisions by revealing package-level differences, security posture changes, and build variations between any two Chainguard container images.

Getting Started with the PHP Chainguard Container

Mon, 09 Jan 2023 11:07:52 +0200

Chainguard’s PHP container images provide secure foundations for PHP applications with minimal vulnerabilities compared to traditional PHP images. These images come in multiple variants: the latest-fpm variant for serving web applications via FastCGI, the latest variant for CLI applications, and development variants that include additional tools for building and debugging PHP workloads.

In this guide, we’ll set up a demo and demonstrate how you can use Chainguard Containers to develop, build, and run PHP applications.

Package and Image Name Mappings

Thu, 23 Oct 2025 11:07:52 +0200

When migrating to Chainguard Containers, you may notice that some package and image names differ from their upstream counterparts. This guide explains why these mappings exist and provides a comprehensive reference of how Chainguard maps image and package names to our container ecosystem.

Why Chainguard Remaps Package Names

Different Linux distributions often use different names for the same software. For example, Debian calls its C compiler package build-essential, while Alpine calls the equivalent package build-base and Fedora uses gcc and related packages. Chainguard Containers standardize these names to provide consistency regardless of which distribution you’re migrating from.

Can anybody build Chainguard Containers themselves?

Sat, 02 Aug 2025 16:00:00 +0000

Transcript

Interviewer: But everything is open source—can anybody build the images themselves?

How to Use Chainguard Helm Charts

Fri, 11 Jul 2025 08:49:31 +0000

Helm is a package manager for Kubernetes that simplifies the installation and management of applications by automating the creation of Kubernetes resources. Helm charts are reusable, versioned packages that define a collection of Kubernetes resources required to run an application or service. You use Helm to define, install, and perform upgrades to your applications on Kubernetes.

For organizations looking to deploy their Chainguard container images with Helm, Chainguard provides upstream-produced Helm charts. These charts are available from the Chainguard Registry and are intended for customers who are either looking to get started with Helm or are looking for better, trusted alternatives to the public charts they may already be using.

Beyond Zero: Eliminating Vulnerabilities in PyTorch Container Images (PyTorch 2024)

Sat, 07 Sep 2024 01:21:01 +0000

Recording of Beyond Zero: Eliminating Vulnerabilities in PyTorch Container Images presented by Dan Fernandez, Srishti Hegde, and Patrick Smyth at PyTorch 2024

Session Description

Container images are increasingly the future of production applications at scale, providing reproducibility, robustness, and transparency. As PyTorch images get deployed to production, however, security becomes a major concern. PyTorch has a large attack surface, and building secure PyTorch images can be a challenge. Currently, the official PyTorch runtime container image has 1 CVE (known vulnerabilities) rated critical and 5 CVEs rated high. Improving this situation could secure many deployments that incorporate PyTorch for cloud-based inference or training. In this fast-paced session, we took a deep dive on the official PyTorch image from a vulnerability mitigation perspective, looking hard at included packages, executables, and active CVEs. We identify low-hanging fruit for increasing security, including stripping bloat and building fresh. We also talk about the next level of security practiced in Chainguard’s PyTorch image builds, such as including SBOMs and going distroless. Finally, we consider emerging tools and approaches for analyzing AI artifacts such as models and how these systems can benefit PyTorch in production.

Getting Started with the PostgreSQL Chainguard Container

Thu, 10 Aug 2023 11:07:52 +0200

Chainguard’s PostgreSQL container image provides a security-hardened foundation for running Postgres databases with significantly fewer vulnerabilities than traditional PostgreSQL images. Built on Wolfi with a distroless design, this container maintains full PostgreSQL functionality while dramatically reducing attack surface.

Through daily rebuilds with the latest patches and minimal dependencies, Chainguard’s PostgreSQL image enhances database security posture. This enables you to run production Postgres workloads in containerized environments with both a smaller footprint and improved protection against supply chain attacks.

Authenticate to Chainguard's Registry

Tue, 21 Mar 2023 15:10:16 +0000

Public Container Images

Chainguard offers a collection of images that are publicly available, don’t require authentication, and are free to use by anyone. However, logging in with a Chainguard account and authenticating when pulling from the registry gives you access to the Chainguard Console, and provides a mechanism for Chainguard to contact you if there are any issues with images you are pulling. This may enable Chainguard to notify you of upcoming deprecations, changes in behavior, critical vulnerabilities and remediations for images you have recently pulled.

Chainguard Container Catalog Pricing

Tue, 19 Aug 2025 08:49:31 +0000

Chainguard offers Catalog Pricing for our library of secure container images, providing access to the full catalog of Chainguard Containers. Catalog Pricing enables you to add individual images from the wider Chainguard catalog to your organization’s repository using the Self-Serve Catalog Experience.

This article highlights the benefits of the Catalog Pricing plan and outlines how you can provision container images through the Self-Serve Experience.

Catalog Pricing

The Catalog Pricing model provides a single subscription that grants unlimited access to the full catalog of container images maintained by Chainguard. This model removes the need for per-repository licensing and offers predictable monthly or annual costs. Subscriptions can include FIPS-compliant images, depending on the selected tier.

How to Use Chainguard iamguarded Helm Charts

Fri, 11 Jul 2025 08:49:31 +0000

Chainguard offers this limited iamguarded set of Helm charts to go with a set of Chainguard-created containers labeled as iamguarded, designed specifically to support organizations migrating off of Bitnami. The iamguarded charts are forked from upstream Bitnami charts, but now configured out-of-the box for use with Chainguard’s hardened container images. These charts only receive edits necessary to make them work with Chainguard container images and retain the intended functionality of the originals they are based on. Because the iamguarded charts are forks, they may be susceptible to breaking changes introduced by the upstream. In such cases, customers should plan to transition to a community-provided alternative (or an equivalent one from Chainguard) where possible.

Getting Started with the Python Chainguard Container

Tue, 28 Feb 2023 11:07:52 +0200

Chainguard’s Python container images provide a more secure foundation for Python applications through distroless design, containing significantly fewer CVEs compared to traditional Python images. These production-ready images are optimized for building and running Python workloads.

Two variants of Chainguard Python images are available: a minimal runtime image containing only Python and its standard library, and a -dev variant that includes pip and a shell for development purposes. Since most Python applications require third-party packages, the recommended approach is using a multi-stage Docker build with the -dev image for dependency installation and the minimal image for runtime.

Chainguard Catalog Starter

Mon, 09 Mar 2026 07:52:00 +0200

Chainguard Catalog Starter is a way to try production-grade Chainguard Containers for free, without committing to a full subscription. It lets you choose a set of five container images from the broader Chainguard catalog so you can validate security, performance, and operational fit in your own environment before you buy.

Note: Chainguard Catalog Starter is in beta.

What is Catalog Starter?

With Chainguard Catalog Starter, users can choose any five non-FIPS images from our catalog of secure-by-default containers. Any Helm charts that depend on those images are included and count toward the five-image limit.

Proxy and cache Helm Charts with Artifactory

Mon, 14 Jul 2025 08:10:31 +0000

This page shows you how to set up and use Chainguard Helm Charts with Artifactory via remote Helm OCI repositories.

Create and configure Helm OCI repository in Artifactory

From the administration panel within Artifactory, create a remote repository, picking Helm as the repo type. we’ll call it iamguarded-charts

Chainguard FIPS Container FAQs

Fri, 10 Jan 2025 15:56:52 -0700

Answers to your questions about Chainguard FIPS container images.

Is there a way to enable or disable the FIPS mode in a FIPS image?

All Chainguard FIPS Containers are configured in approved-only mode as noted in our FIPS commitment.

Getting Started with the PyTorch Chainguard Container

Thu, 25 Apr 2024 08:00:00 +0200

Chainguard’s PyTorch container image provides a security-hardened foundation for deep learning workloads with significantly fewer vulnerabilities than traditional PyTorch containers. Built with PyTorch and CUDA support for GPU acceleration, this minimal image maintains full deep learning capabilities while dramatically reducing attack surface. This guide demonstrates fine-tuning models, secure inference deployment, and compares the enhanced security posture to official PyTorch images.

What is Deep Learning?

Chainguard Containers FAQs

Thu, 01 Sep 2022 08:49:31 +0000

Learn answers to your questions about Chainguard Containers. Chainguard provides container images designed with security as the primary focus, featuring zero known CVEs, minimal attack surface, and built-in SBOMs for every image.

Which Linux distribution is used as base for Chainguard Containers?

Chainguard Containers are based on Wolfi, a Linux undistro we built specifically to address software supply chain security issues. We call it an undistro because it doesn’t contain certain software you’d normally find in a traditional Linux distribution such as Debian or Alpine. Wolfi is a minimal Linux distribution designed specifically to be used as a base for stripped-down container images.

Getting Started with the MinIO Chainguard Container

Mon, 27 Oct 2025 11:07:52 +0200

MinIO is a high-performance, S3-compatible object storage system that has become widely adopted across the cloud-native ecosystem, with over 1 billion pulls on Docker Hub. It’s used for testing, local development, and production deployments across on-premises and cloud environments. MinIO’s solid S3 compatibility has made it a common choice for developers who need S3-compatible storage without AWS dependencies, and it’s integrated into popular open source projects like Trino and Apache Spark for backup and archival, AI/ML workloads, data lakes, and application data storage.

Getting Started with the Ruby Chainguard Container

Wed, 10 May 2023 11:07:52 +0200

Chainguard’s Ruby container images provide secure foundations for Ruby applications with minimal vulnerabilities through both development and production-ready distroless variants. These images significantly reduce attack surface compared to traditional Ruby base images while maintaining full compatibility with Ruby applications and the Rubygems ecosystem.

Because Ruby applications typically require the installation of third-party dependencies via Rubygems, using a pure distroless image for building your application would not work. In cases like this, you’ll need to implement a multi-stage Docker build that uses one of the -dev images to set up the application.

Getting started with the Chainguard Spark FIPS container

Thu, 04 Jun 2026 00:00:00 +0000

Apache Spark is a distributed computing engine for batch processing, stream processing, and machine learning at scale. Organizations subject to federal compliance requirements—including FedRAMP, FISMA, and Department of Defense frameworks—must use FIPS 140-3 validated cryptography for all cryptographic operations in Spark.

Chainguard’s Spark FIPS container packages Apache Spark with the Bouncy Castle FIPS cryptographic provider, replacing the standard JVM cryptographic modules with NIST-validated equivalents. In FIPS mode, TLS connections require BCFKS-format keystores rather than the standard PKCS12 or JKS formats, and only FIPS-approved cipher suites are permitted.

How to Use Chainguard Containers with OpenShift

Tue, 17 Jun 2025 08:49:31 +0000

Chainguard Containers are fully compatible with Red Hat OpenShift Container Platform, providing enhanced security while requiring some configuration adjustments for OpenShift’s security context constraints. This guide explains how to successfully deploy Chainguard’s minimal, security-hardened container images in OpenShift environments.

Red Hat OpenShift is an application platform that orchestrates and manages your systems and resources. While it is based on open source software like Kubernetes, OpenShift includes a suite of applications with additional functionality that are configured to work together.

Getting Started with the WordPress Chainguard Container

Fri, 19 Jul 2024 11:07:52 +0200

Chainguard’s WordPress container image is a drop-in replacement for the official WordPress FPM-Alpine image, with significantly fewer vulnerabilities than the standard image. It includes a distroless variant for production use that removes shells, package managers, and other unnecessary components. The image ships with the latest PHP and WordPress versions and all required PHP extensions.

This guide covers three ways to use the WordPress Chainguard Container to build and run WordPress projects.

What is distroless?

What is Wolfi?

What are multi-stage builds?

Shipping Safer Container Runtimes in 2026

Wed, 17 Dec 2025 17:00:00 +0000

The December 2025 Learning Lab with Erika Heidi focuses on strategies to improve the security of your software supply chain and ship safer container runtimes in 2026.

Sections

00:00 Intro
02:52 Why Devs need to care
04:48 XZ Utils incident
09:43 tj-actions/changed-files incident
12:42 Sha1-Hulud Second Coming
17:11 Trending threat models
32:42 Mitigating risks
45:02 Concrete Dev actions this sprint
50:47 Chainguard Containers: CVE Comparisons

Resources

Static Chainguard Container Images

Sun, 28 Sep 2025 21:00:00 +0000

The September 2025 Learning Lab, led by Adrian Moat, focuses on minimizing the attack surface of container images by adopting Chainguard’s static and minimal images, which boast zero known CVEs. Adrian demonstrated a container build for a Go-based application and explains more complex use cases.

Sections

00:01 Welcome and introductions
03:34 Talk outline and prerequisites
04:34 Understanding CVEs
07:34 Introducing Chainguard Containers
08:58 Vulnerability and size comparison
10:14 Why Chainguard images are more secure
11:46 Practical demo: Migrating a Go container image
15:01 Initial build
17:59 Migration to Chainguard base image
20:45 Multi-stage build and static image optimization
27:39 Static vs. dynamic binaries
30:16 Chainguard Container variants
32:34 Distroless Containers and dev images
33:30 Debugging Distroless containers demonstration
44:57 Key takeaways and wrap-up
46:44 Next Learning Lab announcement
47:50 Resources for further learning

Resources

Slide deck

Getting Started with Chainguard's Dockerfile Converter

Thu, 28 Aug 2025 17:00:00 +0000

The August 2025 Learning Lab with Erika Heidi covers DFC, or Dockerfile Converter, an open source tool created by the Chainguard team to facilitate migration to Chainguard Containers. In this session, learn how to install and use DFC to effectively convert your Dockerfiles to use minimal container images from Chainguard. Erika demonstrates how to use various flags to customize DFC’s output and also how to connect the DFC MCP server to your AI assistant to have DFC functionality integrated within your current AI workflow.

AI with Hardened Container Images

Thu, 24 Jul 2025 17:00:00 +0000

The July 2025 Learning Lab with Patrick Smyth covers AI with Hardened Container Images. In this session, learn how to secure AI workloads by reducing vulnerabilities in container images by over 90%. Patrick demonstrates hands-on techniques for training an animal detection model using PyTorch with hardened container images, creating minimal and secure deployments, and running AI frameworks with zero CVEs.

Sections

0:00 Introduction and updates
2:02 Preparation: Docker pull instructions for demo
3:39 Chainguard! Who are we?
4:34 CVE system fundamentals
6:48 “Boss assigned me to fix Ubuntu” problem
7:41 Introduction to Chainguard Containers
8:54 Zero CVE containers: Real results and comparisons
11:10 How we achieve zero CVEs: Minimal, Fresh, Advisory, Patch
13:24 AI container challenges: Size and complexity
14:59 PyTorch container analysis: CVEs, packages, and executables
16:21 Demo introduction: Image classification with PyTorch
17:59 Demo walkthrough and repository overview
19:28 Demo: Running the training command
22:01 Demo: Downloading test image and running inference
23:20 Recent developments in Chainguard AI containers
25:09 Other AI containers: TensorFlow, KServe, Triton backends
26:46 Q&A
35:18 Chainguard AI course and additional resources

Demo

In the demo, Patrick trains and runs inference on an image classification model using PyTorch and Chainguard’s hardened container image. The model classifies images of octopuses, whales, and penguins, demonstrating how to work with AI workloads securely.

Setting Up a Minecraft Server with the JRE Chainguard Container

Wed, 26 Mar 2025 11:07:52 +0200

Introduction

Chainguard’s JRE container image provides an ideal foundation for running Minecraft Java servers with enhanced security and minimal vulnerabilities. Minecraft, the best-selling video game of all time with 170 million monthly players as of 2024, often requires dedicated servers for multiplayer gameplay where players can build and explore together.

Using Chainguard Containers in Dev Containers

Mon, 10 Mar 2025 11:07:52 +0200

Development Containers — sometimes known as “dev containers” — allow you to use a container as a development environment where you can run applications and separate tools, libraries, or runtimes. Dev containers can also help with testing and continuous integration.

With a few changes, the images based on Wolfi and maintained by Chainguard provide distroless images that can be used as dev containers. This guide outlines how you can set up a Chainguard image as a dev container in VS Code.

Using Grype to Scan Software Artifacts

Thu, 06 Jun 2024 20:00:00 +0200

Grype is a vulnerability scanner for container images and filesystems developed and maintained by Anchore and written in the Go programming language. Grype can scan from Docker, OCI, Singularity, podman, image archives, and local directory. Grype is compatible with SBOMs generated by Syft, and Grype’s vulnerability database draws from a wide variety of sources.

Grype is appropriate for one-off detection for manual CVE mitigation and in automated use in CI pipelines. Chainguard maintains a low-to-no CVE Chainguard Image for Grype based on our lightweight Wolfi distribution.

Using Init Containers with Chainguard Containers

Mon, 04 Aug 2025 15:21:01 +0000

Chainguard Containers are designed with minimalism and security in mind. By including fewer packages and tools, Chainguard Containers have a smaller attack surface than their counterparts. However, there are cases where the external counterparts have certain desirable features, like useful startup scripts or configuration defaults.

There are several ways to customize Chainguard Containers. For example, you can use Custom Assembly to add packages to an otherwise minimal Chainguard container image. Changing a Chainguard container image’s configuration — such as updating its entrypoint or adding startup scripts — requires a different strategy. One method for doing so in Kubernetes deployments is to use init containers.

Using the Chainguard Static Base Container Image

Wed, 30 Aug 2023 15:21:01 +0000

Tools used in this video

Docker
Grype

Dockerfile

FROM cgr.dev/chainguard/go AS build
COPY main.go /main.go
RUN CGO_ENABLED=0 go build -o /hello /main.go
FROM cgr.dev/chainguard/static
COPY --from=build /hello /usr/local/bin/
CMD ["hello"]

Transcript

So what’s the best container base image to use?

How to Use Container Image Digests to Improve Reproducibility

Mon, 07 Aug 2023 15:21:01 +0200

Tools used in this video

Docker
Crane

Commands used

docker pull cgr.dev/chainguard/node

docker manifest inspect cgr.dev/chainguard/node@sha256:ede7ef4ca485553f5313f7a02ad3537db1fe337079fc7cfb879f44cf709326db

crane digest --full-ref cgr.dev/chainguard/node

docker pull cgr.dev/chainguard/node:latest@sha256:ede7ef4ca485553f5313f7a02ad3537db1fe337079fc7cfb879f44cf709326db

Dockerfile

FROM cgr.dev/chainguard/go:latest@sha256:7e60584b9ae1eec6ddc6bc72161f4712bcca066d5b1f511d740bcc0f65b05949 AS build
WORKDIR /src
RUN CGO_ENABLED=0 go build -o /bin/server ./src
FROM cgr.dev/chainguard/static AS prod
COPY --from=build /bin/server /bin/
EXPOSE 8000
ENTRYPOINT [ "/bin/server" ]

Transcript

0:05 You might have heard the advice to pin to a digest when using container images.

Reproducible Dockerfiles with Frizbee and Digestabot

Fri, 07 Jun 2024 12:21:01 +0000

Tools

Transcript

I’d like to talk about a problem I faced with container builds in the past and a potential solution.

Getting Software Versions from Chainguard Containers

Fri, 07 Jul 2023 15:21:01 +0200

Tools used in this video

Commands used

cosign download attestation --platform=linux/amd64 \
--predicate-type=https://spdx.dev/Document \
cgr.dev/chainguard/python:latest | jq -r .payload | base64 -d \
| jq -r '.predicate.packages[] | "\(.name) \(.versionInfo)"'

docker run cgr.dev/chainguard/wolfi-base ls /var/lib/db/sbom

Transcript

Hi, I want to record a very short video on how to get software version information out of Chainguard Containers.

Building Minimal Container Images for Applications with Runtimes

Wed, 06 Sep 2023 01:21:01 +0000

Tools used in this video

Docker

Resources

The Dockerfiles used in this video and other supporting documentation are available on GitHub.

Choosing a Container for your Compiled Programs

Fri, 12 Jul 2024 17:55:01 +0000

When selecting the right base image for your application, there are a variety of factors to take into consideration. For starters, it is critical that your application has all of the dependencies it needs to run. The ideal base image will contain the essential packages you need, while leaving out the ones you don’t. However, in practice, you will need to build upon your container images so they meet your specific needs, making it all the more important that you have a strong foundation.

glibc vs. musl

Mon, 26 Aug 2024 18:42:57 +0000

Over the years, various implementations of the C standard library — such as the GNU C library, musl, uClibc-ng, and many others — have emerged with different goals and characteristics. These various implementations exist because the C standard library defines the required functionality for operating system services (such as file input/output and memory management) but does not specify implementation details. Among these implementations, the GNU C Library (glibc) and musl are among the most popular.

Vulnerability Comparison: bash