Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Hardened Base Images #4

Open
adamretter opened this issue Aug 16, 2023 · 0 comments
Open

Security Hardened Base Images #4

adamretter opened this issue Aug 16, 2023 · 0 comments

Comments

@adamretter
Copy link

adamretter commented Aug 16, 2023

Hi @ahosgood nice to see this :-)

As per our brief discussing at the TNA TA meeting... we (Project Omega @ TNA) were previously using Google's GCT Distroless Images for our production needs as these are both small (size) and very minimalist (smaller attack surface) - https://github.com/GoogleContainerTools/distroless. For debugging/development images (i.e. where we need a shell and tools) we were using debian:bullseye-slim as that is the base image for GCT's distroless images; so it enabled a degree of compatibility/consistency when testing etc.

However, we are considering switching to Chainguard's no-distro base images. Whilst still super-minimalist, they appear to have a lot of security advantages such as SBOM's and Supply Chain vetting. If you are interested, you can read a bit about them:

  1. https://www.chainguard.dev/unchained/how-chainguard-fixes-vulnerabilities
  2. https://www.chainguard.dev/unchained/minimal-container-images-towards-a-more-secure-future
  3. https://www.chainguard.dev/unchained

As well as their secure wolfi-base image they are now (like GCT were) providing base images atop that for various language runtimes (including Python). You can find their base images here: https://www.chainguard.dev/chainguard-images

I think the chainguard-images could form a nice base perhaps for TNA Docker images. I would be interested to hear your thoughts...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant