Chainguard Image now available for Pulumi

Josh Dolitsky, Staff Software Engineer
June 29, 2023

Today we’re announcing a new Chainguard Image for Pulumi, an open source infrastructure as code (IaC) tool for creating, deploying and managing cloud infrastructure. Historically, popular off-the-shelf container images contain an influx of CVEs as a result of too many packages and infrequent update cadences. We set out to fix these problems with our new Pulumi Image available at: 

-- CODE language-bash --

One of Pulumi’s greatest features is comprehensive support for several popular programming languages to enable developers to write IaC in their language of choice. For that reason, putting together a container image to support all of the language runtimes can be challenging.

How we built it

To start, we first packaged the entire Pulumi toolchain in Wolfi OS. From there, we were able to build a working Pulumi image using apko.

The apko config for the Pulumi Image has our largest set of packages explicitly listed to-date for a single Image - 30. However, this 78 line YAML file is arguably more declarative and manageable than the Dockerfile used for the official Pulumi image, which contains all sorts of curl-to-bash and other magic. 🪄

The size of this image is also our largest yet at 596M. This is still slim compared to the official Pulumi image pulumi/pulumi:latest at a whopping 1.4G. The large size is necessary due to support for all of the languages where Pulumi has an SDK. In the future, we may release smaller images, for example a pulumi-python with only Python support. Stay tuned.

The Chainguard Pulumi Image is also multi-arch with support for both x86-64 and ARM64, while the official one is single-arch (x86_64).

The CVE count on the Chainguard Pulumi Image today according to Trivy is 15 compared to 737 in the official image (that is an upwards of a 97% reduction in CVEs). 🤯 Scanners have also been struggling to interpret .NET data correctly, and this may be a source of some false positives.

One thing we found is that it is also difficult to test this sort of image. Luckily, Wolfi already contains packages for all the same languages and runtimes that Pulumi supports. Wolfi already has support for the following languages:

After we assembled an image, we tested it by creating a Pulumi project for each supported language, which does the same thing: runs a simple Kubernetes pod using the Chainguard Nginx Image We ensured that we could:

  • Run pulumi stack up and check that the pod comes up

  • Start a port-forward and check that we can curl the Nginx server

  • Run pulumi stack destroy and check that the pod gets deleted

If you want to see upwards of a 57% reduction in your Pulumi image sizes with more security built in by default and a 97% reduction in CVEs, start using Chainguard’s Pulumi Image today at You can also check out the “Kubernetes Pod Example” section in the Image docs on Chainguard Academy. Chainguard Images are now available for Apache Zookeeper, Bazel, curl, Git, Go, Jenkins, NATS, OpenSearch, Prometheus, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.