Chainguard Image now available for Python 3.11

Dan Lorenc, CEO
  •  
January 20, 2023

Python is one of the most popular programming languages and the 3.11 release includes  performance and usability improvements over 3.10. On average, the Python 3.11 release performs 10-60% faster than prior versions! We’re happy to announce that the Chainguard Images collection now contains Python 3.11.1. In addition to these standard language performance features, we compile the CPython interpreter with all the extra performance features, including Link Time Optimization and Profile Guided Optimization.

Due to glibc/musl compatibility issues, Python users have historically had to choose between minimal, hardened base images and developer-friendly ones. The Alpine variants of images on Dockerhub are the smallest in size and have the lowest attack surface, but because they use musl as their version of libc, many Python packages on PyPI must be rebuilt from source. This massively increases the time to build an image **and** the size of the container because extra dependencies like compilers are required.

While there are many excellent reasons to use alpine and musl libc, the end result for many Python users is that installing common libraries like numpy or cryptography can increase in time from seconds to tens of minutes, and also require installing dozens of extra packages like C  and Fortran compilers.

The Chainguard Image for Python is designed to give developers the best of both worlds. The Image is minimal while still containing everything you need for building and running Python apps. And because it uses glibc, you should have no issues running the precompiled wheels available on PyPI.

All Chainguard Images are hardened against most common benchmarks. For Python, this means we:

  • Run as a non-root userOnly include necessary packages
  • Scan the images continuously and rebuild for security updates
  • Use a hardened compiler and non-default security settings, like FORTIFY_SOURCE=3.

In addition to the standard scan/rebuild process, Chainguard builds all dependencies from source. This means we don’t have to wait for upstream patches to become available – we are the upstream. We can also mark CVEs that are not applicable in our Images as invalid directly in our security database, which is automatically ingested by most major container scanning products. 

To further put this into perspective, one of the scans we completed on our Python image uncovered a total of zero known vulnerabilities according to Grype (see footnote).

As always, the binaries in our Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

-- CODE language-bash -- % ./cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/python | head -n 30 WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation ' or verify its signature. Found SBOM of media type: spdx+json { "SPDXID": "SPDXRef-DOCUMENT", "name": "sbom-sha256:530d57699546238ea137953824444017dc3e862e1fe3f936977c911edee167f4", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2022-12-29T00:08:40Z", "creators": [ "Tool: apko (canary)", "Organization: Chainguard, Inc" ], "licenseListVersion": "3.16" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/", "documentDescribes": [ "SPDXRef-Package-sha256-dff54d9e853fb1670148dc8b9850157b88a882467393269b8a80ff01150ccac1" ], "packages": [ { "SPDXID": "SPDXRef-Package-sha256-dff54d9e853fb1670148dc8b9850157b88a882467393269b8a80ff01150ccac1", "name": "sha256:dff54d9e853fb1670148dc8b9850157b88a882467393269b8a80ff01150ccac1", "filesAnalyzed": false, "description": "apko container image", "downloadLocation": "NOASSERTION", "primaryPackagePurpose": "CONTAINER", "checksums": [ { "algorithm": "SHA256", "checksumValue": "dff54d9e853fb1670148dc8b9850157b88a882467393269b8a80ff01150ccac1" }

Try out any of our Images today at github.com/chainguard-images, or get started with our Python image using documentation in Chainguard Academy. Chainguard Images are now available for Bazel, Redis, curl, Git, Go, Jenkins, Postgres, Prometheus and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more. 

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog.

Footnote: Scan on 20th January 2023

-- CODE language-bash -- $ docker images --digests cgr.dev/chainguard/python REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE cgr.dev/chainguard/python latest sha256:cd419bebaadfc8d04f7640e8ac2a30dd8bcf4f65f4d303e42da7a20e0e2e3f29 e4ddef2dc26d 9 hours ago 50.1MB $ grype -v cgr.dev/chainguard/python [0000] INFO grype version: 0.55.0 [0001] INFO identified distro: Wolfi form-lib=syft [0001] INFO cataloging image form-lib=syft No vulnerabilities found

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Don’t break the chain – secure your supply chain today!

Product

Chainguard Image now available for Python 3.11

Dan Lorenc, CEO
January 20, 2023
copied

Python is one of the most popular programming languages and the 3.11 release includes  performance and usability improvements over 3.10. On average, the Python 3.11 release performs 10-60% faster than prior versions! We’re happy to announce that the Chainguard Images collection now contains Python 3.11.1. In addition to these standard language performance features, we compile the CPython interpreter with all the extra performance features, including Link Time Optimization and Profile Guided Optimization.

Due to glibc/musl compatibility issues, Python users have historically had to choose between minimal, hardened base images and developer-friendly ones. The Alpine variants of images on Dockerhub are the smallest in size and have the lowest attack surface, but because they use musl as their version of libc, many Python packages on PyPI must be rebuilt from source. This massively increases the time to build an image **and** the size of the container because extra dependencies like compilers are required.

While there are many excellent reasons to use alpine and musl libc, the end result for many Python users is that installing common libraries like numpy or cryptography can increase in time from seconds to tens of minutes, and also require installing dozens of extra packages like C  and Fortran compilers.

The Chainguard Image for Python is designed to give developers the best of both worlds. The Image is minimal while still containing everything you need for building and running Python apps. And because it uses glibc, you should have no issues running the precompiled wheels available on PyPI.

All Chainguard Images are hardened against most common benchmarks. For Python, this means we:

  • Run as a non-root userOnly include necessary packages
  • Scan the images continuously and rebuild for security updates
  • Use a hardened compiler and non-default security settings, like FORTIFY_SOURCE=3.

In addition to the standard scan/rebuild process, Chainguard builds all dependencies from source. This means we don’t have to wait for upstream patches to become available – we are the upstream. We can also mark CVEs that are not applicable in our Images as invalid directly in our security database, which is automatically ingested by most major container scanning products. 

To further put this into perspective, one of the scans we completed on our Python image uncovered a total of zero known vulnerabilities according to Grype (see footnote).

As always, the binaries in our Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

-- CODE language-bash -- % ./cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/python | head -n 30 WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation ' or verify its signature. Found SBOM of media type: spdx+json { "SPDXID": "SPDXRef-DOCUMENT", "name": "sbom-sha256:530d57699546238ea137953824444017dc3e862e1fe3f936977c911edee167f4", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2022-12-29T00:08:40Z", "creators": [ "Tool: apko (canary)", "Organization: Chainguard, Inc" ], "licenseListVersion": "3.16" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/", "documentDescribes": [ "SPDXRef-Package-sha256-dff54d9e853fb1670148dc8b9850157b88a882467393269b8a80ff01150ccac1" ], "packages": [ { "SPDXID": "SPDXRef-Package-sha256-dff54d9e853fb1670148dc8b9850157b88a882467393269b8a80ff01150ccac1", "name": "sha256:dff54d9e853fb1670148dc8b9850157b88a882467393269b8a80ff01150ccac1", "filesAnalyzed": false, "description": "apko container image", "downloadLocation": "NOASSERTION", "primaryPackagePurpose": "CONTAINER", "checksums": [ { "algorithm": "SHA256", "checksumValue": "dff54d9e853fb1670148dc8b9850157b88a882467393269b8a80ff01150ccac1" }

Try out any of our Images today at github.com/chainguard-images, or get started with our Python image using documentation in Chainguard Academy. Chainguard Images are now available for Bazel, Redis, curl, Git, Go, Jenkins, Postgres, Prometheus and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more. 

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog.

Footnote: Scan on 20th January 2023

-- CODE language-bash -- $ docker images --digests cgr.dev/chainguard/python REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE cgr.dev/chainguard/python latest sha256:cd419bebaadfc8d04f7640e8ac2a30dd8bcf4f65f4d303e42da7a20e0e2e3f29 e4ddef2dc26d 9 hours ago 50.1MB $ grype -v cgr.dev/chainguard/python [0000] INFO grype version: 0.55.0 [0001] INFO identified distro: Wolfi form-lib=syft [0001] INFO cataloging image form-lib=syft No vulnerabilities found

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.