Today we’re announcing a new Chainguard Image for Prometheus, a leading open-source monitoring framework for Kubernetes and other cloud-native applications. As a monitoring and aggregation system, Prometheus is often run in security-critical environments. Sidecar applications like Prometheus tend to fall through the cracks in security programs, often resulting in outdated or vulnerable deployments. This is why its important for ubiquitous applications like Prometheus to have security built in, which is why we’re announcing a new Chainguard Image.
The Chainguard Image for Prometheus is built on Wolfi, which means its minimal in size and built with our hardened toolchain. Prometheus itself is written in Go, and since software supply chains are recursive, you get all the benefits of the hardened Chainguard Go toolchain. In addition, our build and release process allows us to ship CVE patches quickly, in some cases even faster than upstream.
Wolfi’s minimal, distroless-style builds and continuous patching process allows our Prometheus Image to come in at a fraction of the size of the alternatives, and with fewer CVEs. See the results for yourself:
To use the new Chainguard Prometheus Image, we provide a default configuration file so you can get started with a single command:
You can also override this with your own configuration file and using the --config-file flag. See the full documentation at the Chainguard Academy!
As always, the binaries in our Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:
If you want to see upwards of a 40% reduction in your Prometheus Image sizes with more security built in by default and upwards of a 97.6% reduction in CVEs, start using Chainguard’s Prometheus Image today at github.com/chainguard-images, or get started with our Prometheus Image using documentation in Chainguard Academy. Chainguard Images are now available for Apache Zookeeper, Bazel, curl, Git, Go, Jenkins, OpenSearch Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.
Chainguard also recently partnered with CNCF to conduct a software supply chain security assessment of the Prometheus project based on SLSA levels. We’ll be issuing the full report next week during KubeCon EU.
Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog.