I'm looking for advice on creating a secure container base image that I can use for building my application image. Specifically, I'm curious about different options like Ubuntu, Debian, Node, Alpine, Rocky, and OpenJDK. Any tips or best practices would be greatly appreciated!
6 Answers
Chainguard is a great option, though it can be a bit pricey—around a few mill a year! But honestly, the time saved on engineering is worth it in my opinion!
We aim to always use the latest images from Amazon, specifically version 17 or Node.js. We utilize the ECR pull-through cache to automatically fetch the latest images every 15 days, ensuring that our build pipeline stays up to date with security patches.
You might want to check out Distroless images and Chainguard. Both can provide secure options for container images. Distroless images only contain the application and its runtime dependencies, minimizing the attack surface. Chainguard is also focused on security but in a different way—let me know if you need more details about both!
I’m curious about the difference between Chainguard and Alpine. Are they both lightweight, or does Chainguard do something different?
Is Chainguard free to use? Just wanted to confirm that.
If you're deploying pre-compiled applications, consider using a scratch image. It contains nothing but your application, making it inherently more secure!
Just create a Dockerfile that starts from your base image and include hardening scripts to enhance security. Basic hardening can go a long way!
Could you share some common references for those hardening scripts?
For additional resources, check out this thread on Dockerfile security best practices. Also, at ActiveState, we provide customizable and secure container base images built from source—great for CI/CD workflows! Here’s a link explaining our offerings: [ActiveState Container Images](https://docs.activestate.com/platform/features/docker-images/)
What do you do for securing nodes? I thought Chainguard was only for containers. How about runtime or kernel security?