Chainguard Image now available for Zig

Dan Lorenc, CEO
August 18, 2023

The Zig programming language is rapidly rising in popularity as a general-purpose language with a focus on building safe and performant software. It emphasizes memory safety, performance, and clarity, aiming to provide a modern alternative to languages like C and C++. Zig offers features such as compile-time execution, zero-cost abstractions, and an expressive syntax, making it suitable for a wide range of applications from system programming to high-level application development.

In Wolfi, we build everything from source ourselves, including a fully bootstrapped toolchain. We’ve shipped code based on Zig for months now, which means we’ve also had a bootstrapped Zig package for some time. While it’s true that Zig is great at compiling code into portable runtimes, making containers slightly less necessary, it can still be useful to run Zig itself in a container in CI/CD systems, or to run Zig programs in containerized environments if you’re already using them for other applications.

There aren’t any maintained alternative Zig images available, so we decided to create a new Chainguard Image based on our existing Zig package.

Getting started

You can get started using the Chainguard Zig Image by creating a Zig application and running it. Here’s a quickstart guide:

-- CODE language-bash -- # docker run -it –entrypoint=sh /app # zig init-exe info: Created build.zig info: Created src/main.zig info: Next, try `zig build --help` or `zig build run` /app # zig build run All your codebase are belong to us. Run `zig build test` to run the tests.

For a more production-ready Docker image, you should use a multi-stage Docker build, like this:

-- CODE language-bash -- FROM as builder WORKDIR /app COPY . /app RUN zig build FROM COPY --from=builder /app/zig-out/bin/app /usr/local/bin/app CMD ["/usr/local/bin/app"]

Now for the final trick – WebAssembly (WASM). WASM has been popular in the browser space for awhile, but recently it has started to emerge on the server-side as well. WASM enables portable, safe, and high-performing server applications written in a variety of languages. Zig, being a systems programming language with a focus on performance, safety, and low-level control, is well-suited for developing server-side WASM applications. Its ability to interface with C and its support for low-level operations make Zig a powerful choice for leveraging the benefits of server-side WASM in building fast and secure web services.

Docker recently added support for running WASM workloads, so our Zig toolchain Image is a great fit for this use case. To run Zig as WASM inside Docker, try out this Dockerfile:

-- CODE language-bash -- # syntax=docker/dockerfile:1 FROM as wasm-builder WORKDIR /app COPY . /app RUN zig build-exe src/main.zig -target wasm32-wasi FROM scratch COPY --from=wasm-builder /app/main.wasm /main.wasm ENTRYPOINT [ "/main.wasm" ]

Then build and run it in a WASM runtime:

-- CODE language-bash -- $ docker build . -f Dockerfile.wasm -t mywasmapp:latest $ docker run --runtime=io.containerd.wasmedge.v1 All your codebase are belong to us. Run `zig build test` to run the tests.

As we were working on our Zig Image, we found there aren’t any existing Zig images available. Comparisons are irrelevant in this case, but our stats for the Zig Image are 96MB (size), and of course comes with zero-known CVEs. 

Zig (and WASM) are fairly new images and ecosystems, so if you use this we’d love feedback and are open to making changes to the Image to make it work better for your use cases or easier to use. 

As always, the binaries in our Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

-- CODE language-bash -- $ cosign download sbom --platform=linux/amd64

If you want to use container images with more security built in by default, start using Chainguard’s Zig Image today at, or get started with our Zig Image using documentation in Chainguard Academy. Chainguard Images are now available for Apache, Bazel, curl, Git, Go, Jenkins, Postgres, Pulumi, Python, Ruby and more. We currently offer our public Chainguard Images catalog at no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom catalog tiers. Contact our team to learn more.

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit an issue, you can reach out to us directly or file it here.

Update on our public Chainguard Images catalog: On August 16, 2023, we made changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Chainguard Images catalog.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.