Using CVE Visualizations
Getting started with the CVE Visualization feature.
Chainguard Containers follow a distroless philosophy, meaning that only software absolutely necessary for a specific workload is included in an image. Designed to be as minimal as possible, Chainguard’s standard container images do not contain package managers such as apk, shells such as b/a/sh, or development utilities such as Git or text editors. However, this distroless approach isn’t suitable for every use case. For this reason, most Chainguard Containers have what’s called a development variant.
These variants are designed for development tasks such as building, testing, or debugging. They can be used to build software artifacts that are then copied into standard images as part of a multi-stage build, or to test workflows interactively in an environment similar to a standard image. Development images contain familiar utilities such as package managers and shells. While our standard images have advantages related to security, development images are also secure and production-ready. Development images are tagged :latest-dev
.
To benefit from the most minimal potential attack surface, we recommend using a multi-stage build that leverages the development container image as a builder for a distroless standard container image. However, development images are useful as they are throughout the development lifecycle. This article explains some of the key features of development container variants and how they differ from our standard container images and outlines ways these variants come together in creating a secure deployment.
Note: Any time this article mentions Chainguard’s “standard” container images, it’s referring to our minimal, distroless container images. In the context of this article, any non-development variant is considered a “standard” container image.
Chainguard’s standard container images have the following advantages:
While our standard images can be considered to have advantages for security, the development variants of Chainguard Containers are also low-to-no CVE, include useful attestations such as SLSA provenance and SBOMs, and follow other security best practices. You should feel comfortable using these secure development images in production if they better fit your use case.
Though using Chainguard’s standard container images in your final deployment will give you the benefits of distroless, development images have many use cases. These include:
It’s likely already clear that switching to our standard images requires a few changes in development and deployment. Here are a few additional considerations:
CMD
will be directed to the image-specific entrypoint. Because we aim to keep our development images as close as possible to our standard images, these changes to entrypoint also affect development container images.--user root
option — to perform tasks such as installing packages with apk.Taking the step into distroless by using our standard Chainguard Containers can be an adjustment. Our development images provide options and flexibility as you secure your production infrastructure. Development images are also secure and ready for use in production.
Last updated: 2025-04-11 07:52