Today we’re announcing a new Chainguard Image for Pulumi, an open source infrastructure as code (IaC) tool for creating, deploying and managing cloud infrastructure. Historically, popular off-the-shelf container images contain an influx of CVEs as a result of too many packages and infrequent update cadences. We set out to fix these problems with our new Pulumi Image available at:
One of Pulumi’s greatest features is comprehensive support for several popular programming languages to enable developers to write IaC in their language of choice. For that reason, putting together a container image to support all of the language runtimes can be challenging.
How we built it
To start, we first packaged the entire Pulumi toolchain in Wolfi OS. From there, we were able to build a working Pulumi image using apko.
The apko config for the Pulumi Image has our largest set of packages explicitly listed to-date for a single Image - 30. However, this 78 line YAML file is arguably more declarative and manageable than the Dockerfile used for the official Pulumi image, which contains all sorts of curl-to-bash and other magic. 🪄
The Chainguard Pulumi Image is also multi-arch with support for both x86-64 and ARM64, while the official one is single-arch (x86_64).
The CVE count on the Chainguard Pulumi Image today according to Trivy is 15 compared to 737 in the official image (that is an upwards of a 97% reduction in CVEs). 🤯 Scanners have also been struggling to interpret .NET data correctly, and this may be a source of some false positives.
One thing we found is that it is also difficult to test this sort of image. Luckily, Wolfi already contains packages for all the same languages and runtimes that Pulumi supports. Wolfi already has support for the following languages:
If you want to see upwards of a 57% reduction in your Pulumi image sizes with more security built in by default and a 97% reduction in CVEs, start using Chainguard’s Pulumi Image today at github.com/chainguard-images. You can also check out the “Kubernetes Pod Example” section in the Image docs on Chainguard Academy. Chainguard Images are now available for Apache Zookeeper, Bazel, curl, Git, Go, Jenkins, NATS, OpenSearch, Prometheus, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.
We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.
Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog.
