Overview of Chainguard Images

A primer on Chainguard Images and the distroless approach

Chainguard Images is a collection of container images designed for minimalism and security.

Many of the images are distroless; they contain only an application and its runtime dependencies. These images do not even contain a shell or package manager.

Most of the images are built with Wolfi, our Linux undistro designed from the ground up to produce container images that meet the requirements of a secure software supply chain.

Main features include:

  • Minimalist design, no bloating from unnecessary software
  • Build-time SBOMs (software bill of materials) attesting the provenance of all artifacts within the image
  • Verifiable signatures provided by Sigstore
  • Automated nightly builds to ensure images are completely up-to-date and contain all available security patches

Chainguard Images are available on Github and the cgr.dev registry.

Why Distroless

Distroless images are the result of pushing minimalism in containers to the next level. When compared to traditional base images such as alpine or debian, they are more stripped back, lacking even a shell or package managers. However, compared to the empty “scratch” image, they do contain structure essential for the majority of Linux applications such as root certificates for TLS and core files like /etc/passwd.

The following graph shows a comparison between the official Nginx image and Chainguard’s Nginx image, based on the number of CVEs (common vulnerabilities and exposures) detected by Trivy:

Nginx

Comparing the latest official Nginx image with cgr.dev/chainguard/nginx

The major advantage of distroless images is the reduced size and complexity, which results in a vastly reduced attack surface. This is evidenced by the results from security scanners, which detect far fewer potential vulnerabilities in Chainguard Images.