Home
Unchained
Product Blog

Chainguard Image now available for prometheus

Dan Lorenc, CEO

Today we’re announcing a new Chainguard Image for Prometheus, a leading open-source monitoring framework for Kubernetes and other cloud-native applications. As a monitoring and aggregation system, Prometheus is often run in security-critical environments. Sidecar applications like Prometheus tend to fall through the cracks in security programs, often resulting in outdated or vulnerable deployments. This is why its important for ubiquitous applications like Prometheus to have security built in, which is why we’re announcing a new Chainguard Image.

The Chainguard Image for Prometheus is built on Wolfi, which means its minimal in size and built with our hardened toolchain. Prometheus itself is written in Go, and since software supply chains are recursive, you get all the benefits of the hardened Chainguard Go toolchain. In addition, our build and release process allows us to ship CVE patches quickly, in some cases even faster than upstream.

Wolfi’s minimal, distroless-style builds and continuous patching process allows our Prometheus Image to come in at a fraction of the size of the alternatives, and with fewer CVEs. See the results for yourself:


Image of bar graph comparing Chainguard prometheus Image to other images with Chainguard having the least CVEs of all four.

To use the new Chainguard Prometheus Image, we provide a default configuration file so you can get started with a single command:


% docker run cgr.dev/chainguard/prometheus:latest -p 9090:9090 --config.file=/etc/prometheus/prometheus.yml
ts=2022-12-27T02:32:45.181Z caller=main.go:512 level=info msg="No time or size retention was set so using the default time retention" duration=15d
ts=2022-12-27T02:32:45.181Z caller=main.go:556 level=info msg="Starting Prometheus Server" mode=server version="(version=2.41.0, branch=master, revision=WolfiLinux)"
ts=2022-12-27T02:32:45.181Z caller=main.go:561 level=info build_context="(go=go1.19.4, platform=linux/arm64, user=@dag-wfjfq, date=19700101-00:00:00)"
ts=2022-12-27T02:32:45.181Z caller=main.go:562 level=info host_details="(Linux 5.10.104-linuxkit #1 SMP PREEMPT Thu Mar 17 17:05:54 UTC 2022 aarch64 98fc282ede4c (none))"
ts=2022-12-27T02:32:45.181Z caller=main.go:563 level=info fd_limits="(soft=1048576, hard=1048576)"
ts=2022-12-27T02:32:45.181Z caller=main.go:564 level=info vm_limits="(soft=unlimited, hard=unlimited)"
ts=2022-12-27T02:32:45.183Z caller=web.go:559 level=info component=web msg="Start listening for connections" address=0.0.0.0:9090
ts=2022-12-27T02:32:45.184Z caller=main.go:993 level=info msg="Starting TSDB ..."

You can also override this with your own configuration file and using the --config-file flag. See the full documentation at the Chainguard Academy!

As always, the binaries in our Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

$ cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/prometheus
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation ' or verify its signature using 'cosign verify --key  --attachment sbom '.
Found SBOM of media type: text/spdx+json
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "sbom-sha256:badfbab17893e4ed14a21fed5e5230e2246e8c3cc0956e97d8313ac76a431a66",
  "spdxVersion": "SPDX-2.3",
  "creationInfo": {
    "created": "2023-03-04T00:09:53Z",
    "creators": [
      "Tool: apko (v0.7.1-10-g92a1b17)",
      "Organization: Chainguard, Inc"
    ],
    "licenseListVersion": "3.16"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://spdx.org/spdxdocs/apko/",
  "documentDescribes": [
    "SPDXRef-Package-sha256-3b5209a9d45a7fa937214099f232e993c6ec9a40099207c4a5c65af174a8386f"
  ],
  "packages": [
    {
      "SPDXID": "SPDXRef-Package-sha256-3b5209a9d45a7fa937214099f232e993c6ec9a40099207c4a5c65af174a8386f",
      "name": "sha256:3b5209a9d45a7fa937214099f232e993c6ec9a40099207c4a5c65af174a8386f",
      "filesAnalyzed": false,
      "description": "apko container image",
      "downloadLocation": "NOASSERTION",
      "primaryPackagePurpose": "CONTAINER",
      "checksums": [
        {
          "algorithm": "SHA256",
          "checksumValue": "3b5209a9d45a7fa937214099f232e993c6ec9a40099207c4a5c65af174a8386f"
      }

If you want to see upwards of a 40% reduction in your Prometheus Image sizes with more security built in by default and upwards of a 97.6% reduction in CVEs, start using Chainguard’s Prometheus Image today at github.com/chainguard-images, or get started with our Prometheus Image using documentation in Chainguard Academy. Chainguard Images are now available for Apache Zookeeper, Bazel, curl, Git, Go, Jenkins, OpenSearch Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.

Chainguard also recently partnered with CNCF to conduct a software supply chain security assessment of the Prometheus project based on SLSA levels. We’ll be issuing the full report next week during KubeCon EU.

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog.

Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started