Overview of Chainguard Images

Chainguard Images Overview

Chainguard Images is a collection of container images designed for security and minimalism.

Many of the images are distroless; they contain only an application and its runtime dependencies. These images do not even contain a shell or package manager.

Chainguard Images are built with Wolfi, our Linux undistro designed from the ground up to produce container images that meet the requirements of a secure software supply chain.

Main features include:

  • Minimalist design, no bloating from unnecessary software
  • High quality build-time SBOMs (software bill of materials) attesting the provenance of all artifacts within the image
  • Verifiable signatures provided by Sigstore
  • Automated nightly builds to ensure images are completely up-to-date and contain all available security patches
  • Reproducible builds with Cosign and apko (read more about reproducibility)

Chainguard Images are available from the Chainguard Registry and can be pulled from cgr.dev. You can review images files on GitHub.

Why Distroless

Distroless images are the result of pushing minimalism in containers to the next level. When compared to traditional base images such as Alpine or Debian, they are more stripped back, lacking even a shell or package managers. However, compared to the empty “scratch” image, they do contain structure essential for the majority of Linux applications such as root certificates for TLS and core files like /etc/passwd.

Comparing Images

The following graph shows a comparison between the official Nginx image and Chainguard’s Nginx image, based on the number of CVEs (common vulnerabilities and exposures) detected by Grype:

Nginx

Comparing the latest official Nginx image with cgr.dev/chainguard/nginx

The major advantage of distroless images is the reduced size and complexity, which results in a vastly reduced attack surface. This is evidenced by the results from security scanners, which detect far fewer potential vulnerabilities in Chainguard Images.

You can review more comparisons of Chainguard Images and external images by checking out our Vulnerability Comparisons dashboard.

Architecture

By default, all Wolfi-based images are built for x86_64 (also known as AMD64) and AArch64 (also known as ARM64) architectures. Being able to provide multi-platform Chainguard Images enables the support of more than one runtime environment, like those available on all three major clouds, AWS, GCP, and Azure. The macOS M1 and M2 chips are also based on ARM architecture. Chainguard Images allow you to take advantage of ARM’s power consumption and cost benefits.

You can confirm the available architecture of a given Chainguard Image with Crane. In this example, we’ll use the latest Ruby image, but you can opt to use an alternate image.

crane manifest cgr.dev/chainguard/ruby:latest |jq -r '.manifests []| .platform'

Once you run this command, you’ll receive output similar to the following.

{
  "architecture": "amd64",
  "os": "linux"
}
{
  "architecture": "arm64",
  "os": "linux"
}

This verifies that the Ruby Chainguard Image is built for both AMD64 and ARM64 architectures.

You can read more about our support of ARM64 in our blog on Building Wolfi from the ground up.

Last updated: 2023-03-22 08:49