Why Golden Images still matter and how to secure them with Chainguard
Golden images (for on-premises use) and golden VMs (for cloud computing platforms such as AWS or Microsoft Azure) help to reduce security vulnerabilities and streamline workflows. However, traditional golden image programs create undue toil and delays, and they have developed a bad reputation among some. Chainguard is a robust alternative to homegrown golden images that helps save time, improve quality, and reduce security exposures.
What's a golden image?
A golden image (also called a "universal image," "master image," "base image," "custom image," or “template”) is a bit-for-bit, managed copy of a virtual machine or software container. Golden images are used to provision system infrastructure, including versions for Microsoft, Linux, and other operating systems, and as support for new and existing apps. They provide vetted infrastructure that teams can trust, reducing risk while accelerating development.
As teams work to automate software pipelines, golden images become even more important. They support a modern DevOps pipeline and meet developers' need for speed and predictability, along with the security team's requirement for verified, policy-compliant infrastructure.
However, internal efforts to create, manage, maintain, and support the desired golden images can become burdensome, rather than beneficial. In this article we describe the importance of well-managed golden image programs, and how Chainguard serves a vital role in supporting open source software distribution and development.
Why golden image programs are critical for modern software organizations
A robust golden image program is essential for modern software development and delivery. In a well-managed program, each golden image is continuously rebuilt, patched as needed, signed, scanned, and versioned. Each image includes a software bill of materials (SBOM) and attestations, which are revoked when vulnerabilities are found.
It’s important to automate the process. Follow these guidelines in creating your templates:
Understand what your program must deliver. Add additional value by serving as a central catalog of signed, hardened, minimal base images. Include provenance (such as SLSA or in-toto) and support a targeted operating system, such as Microsoft; any pre-defined APIs; and/or cloud environments, such as AWS.
Make it a compliance accelerator. Support specific features of secure master images, including FIPS-validated cryptography, STIG hardening, and continuous CVE remediation, to common controls in frameworks such as ISO standards, NIST 800-53, or CMMC; include steps such as antivirus checking.
Use a modern approach. Follow key principles such as those described in Chainguard's Golden Image Best Practices Guide. The principles set out targets in the areas of people, process, and technology.
The trouble with traditional golden image programs
Many golden image processes are poorly defined, or not defined at all; a few people do the work in their spare time, with predictably unpredictable results. This common, but problematic approach is called the "golden image trap."
Golden image programs must evolve to meet the needs of modern, fast-changing, containerized environments. Here are some basics to keep in mind:
Your golden image is only as strong as its supply chain. A weak image creation supply chain allows human error to creep in. Apply security patches at the start. Use cryptographic signatures to protect each component.
A minimalist image is a secure image. A minimal release has fewer potential CVEs, which means less noise for security scanners, faster build and scan times, and simplified audit trails. Avoid unnecessary package managers or shells.
Shift to vulnerability elimination, not management. Adopt a zero-trust approach, where the golden image is provably free of known vulnerabilities. Remove the operational overhead of a typical "scan and patch" cycle.
The golden image trap in action
To see how the "golden image trap" affects many organizations, let's follow the team at EasyCoderz.ai, a fictional tech startup, through a typical build process:
Pre-build. The EasyCoders keep their eyes and ears open for news about changes and CVEs when they have time. Then, the approach of a new product launch causes a request for a custom image to build the new product on.
Build. Team members gather recent versions of software components and relevant patches. They then create a build with these components, which the product team grabs and starts using it.
Harden. Team members review the build and take prescribed steps do what they can to make sure it's up-to-date, secure, reliable, and well-documented, even as new CVEs appear.
Test. Team members run standard and ad hoc tests to stress known areas of concern. They tweak the build to pass vulnerability tests, but do not have time to "root cause" test failures.
Deploy. The new image results in several problem reports, causing more cycles through the "harden" and "test" phases.
Neglect. The product launches several weeks late due to back-and-forth over golden images. The team defers golden image work to catch up on deferred tasks and de-stress.
The cycle starts again the next time an urgent request comes in.
Where Chainguard comes in
Learning about the requirements for a truly up-to-date approach to golden image management, with requirements that must be met to achieve operational success, support a secure operating environment, and ensure auditability, is a strenuous and error-prone process.
Chainguard is a solution that eliminates the toil, confusion, and security debt that come with do-it-yourself (DIY) golden image management.
Modern engineering teams use Chainguard Containers and Chainguard VMs to get a minimal, secure, zero-CVE foundation, without the repetitive work of building, patching, and verifying and re-verifying images. Chainguard provides daily rebuilds and an SLA-backed patch timeline, turning image management into a reliable service.
For cloud infrastructure, Chainguard VMs offer the same advantages. Chainguard VMs are hardened OS images purpose-built for secure, containerized workloads in regulated environments.
This secure-by-default approach helps customers accelerate compliance goals such as FedRAMP, SOC2, and CMMC, freeing up engineers to focus on innovation.
You can learn more by watching the recording of our Golden Images webinar. Download our Golden Image Best Practices Guide to learn more about how to evolve your golden image pipelines.
FAQs
How do you create a secure golden image?
There are five steps to creating a secure golden image: identify only the software you absolutely need to create a minimalist image; create a build with up-to-date versions of the selected software; harden the build so it follows applicable compliance standards such as NIST, PCI DSS, or HIPAA; test the hardened build; and use security techniques such as cryptographic signatures to protect the golden image from tampering.
What’s the difference between a golden image and a container image?
A container image is simply a bit-specific copy of a container. A golden image should go through many additional steps to ensure that the end result is minimal, secure, well-documented, among other important qualities. Simply using a container image as a golden image creates many risks.
Why do golden images become risky over time?
Golden images become risky over time because they fall behind on security and feature updates and impose an increasing amount of work on security teams, which have to spend additional time and effort bringing the image up to date. These serious concerns require frequent updates to each golden image to help ensure that new software based on the golden image can be secure, fully featured, and completed in a timely fashion.
Do I still need golden images if I use infrastructure as code (IaC)?
Yes. The need to use golden images or golden VMs for infrastructure as code (IaC) is just as strong as for other software, if not stronger. System infrastructure, in any form, supports an endless array of important functionality. When problems appear in infrastructure, they can have a wide impact and are often very hard to find. So IaC requires golden images, of the highest quality, to help implementation teams deliver a secure, feature-rich, and reliable result.
What should be included in a modern golden image?
As little as possible. Minimalist golden images, containing only the supporting software elements needed for a specific infrastructure project or app, are easier to secure and test, have less likelihood of bugs, and present a smaller attack surface for future security issues.
How can Chainguard help with golden image management?
Chainguard provides Chainguard Containers and Chainguard VMs: pre-built, up-to-date, zero-CVE, modern golden images that eliminate the toil and worry associated with producing golden images in-house. Chainguard golden images help organizations deliver secure, reliable software within predictable time and cost constraints.
Share this article
Related articles
- engineering
This Shit is Hard: The complexities of fixing Python library security issues at scale
Wesley Wiedenmeier, Senior Software Engineer
- engineering
How I learned to stop worrying and love the latest tag
Adrian Mouat, Staff Developer Relations Engineer
- engineering
The tech leader’s mandate: Use engineering to accelerate sales velocity
Sam Katzen, Staff Product Marketing Manager
- engineering
DriftlessAF: Introducing Chainguard Factory 2.0
Matt Moore, Co-founder and CTO, Manfred Moser, Senior Principal Developer Relations Engineer, and Maxime Greau, Principal Software Engineer
- engineering
The maturity gap in ML pipeline infrastructure
Patrick Smyth, Principal Developer Relations Engineer
- engineering
This Shit is Hard: Building hardened PyTorch wheels with upstream parity
Dann Frazier, Principal Software Engineer