Home
Unchained
Engineering Blog

Subtraction by addition: Leaner images, safer code

Jason Hall, Principal Software Engineer

How adding up to 11 characters to your container image name can reduce your image size by 93%, and CVEs by up to 100%

With the addition of Chainguard Images to Docker Hub, it's never been easier to try out smaller, more minimal, hardened Chainguard Images.

Let's dive into some examples:

python

- FROM python
+ FROM chainguard/python

Added characters: 11

Image size: 364 MB → 24 MB (93% smaller)

CVEs: 796 → 0 (100% fewer)


$ grype python
 ✔ Scanned for vulnerabilities     [796 vulnerability matches]
   ├── by severity: 5 critical, 57 high, 150 medium, 32 low, 457 negligible (95 unknown)
   └── by status:   0 fixed, 796 not-fixed, 0 ignored

$ grype chainguard/python
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored

kubectl

There isn't an official kubectl image, but the de facto image folks seem to use is the one provided by Bitnami at bitnami/kubectl.


- FROM bitnami/kubectl
+ FROM chainguard/kubectl

Characters added: 3

Image size: 84 MB → 17 MB (79% smaller)

CVEs: 128 → 0 (100% fewer)


$ grype bitnami/kubectl
 ✔ Scanned for vulnerabilities     [128 vulnerability matches]
   ├── by severity: 1 critical, 12 high, 20 medium, 7 low, 68 negligible (20 unknown)
   └── by status:   0 fixed, 128 not-fixed, 0 ignored

$ grype chainguard/kubectl
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored

openjdk

Note: Despite getting 13 million pulls per week, the official openjdkimage is deprecated, and it's recommended that users migrate to a supported image. I've chosen eclipse-temurinentirely at random for this comparison.


- FROM eclipse-temurin
+ FROM chainguard/jdk

Characters added: -1

Image size: 198 MB → 89 MB (55% smaller)

CVEs: 73 → 0 (100% fewer)


$ grype eclipse-temurin
 ✔ Scanned for vulnerabilities     [73 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 18 medium, 39 low, 16 negligible
   └── by status:   2 fixed, 71 not-fixed, 0 ignored

$ grype chainguard/jdk
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored

That's right, in addition to being half the size and short 73 CVEs, Chainguard's Image actually requires one fewer character to type!

golang

- FROM golang
+ FROM chainguard/go

Characters added: 7

Image size: 286 MB → 221 MB (22% smaller)

CVEs: 428 → 0 (100% fewer)


$ grype golang
 ✔ Scanned for vulnerabilities     [428 vulnerability matches]
   ├── by severity: 1 critical, 34 high, 88 medium, 8 low, 226 negligible (71 unknown)
   └── by status:   0 fixed, 428 not-fixed, 0 ignored

$ grype chainguard/go
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored

But… why? And why does it matter?

And, how did it get this way?

In each of the above cases, the official images have no fixed vulnerabilities, meaning they're as up-to-date as they'll ever be. This is because the maintainers of the upstream distribution disputes the vulnerability, or doesn't consider the vulnerability severe enough to warrant a fix. If the maintainers don’t care, then why should you?


The main reason you should care about this noise is that it is noise. When your security team is faced with the task of sifting through a spreadsheet of thousands of detected vulnerabilities, it's all too easy to miss one that's a legitimate attack vector. In many organizations, for each of those hundreds of reported CVEs, someone has to do research, understand the issue and the fix (or lack thereof), and understand why it is or isn't an issue. That's toilsome, demoralizing work, and it's time your security team could be spending making your product more secure.

Instead of inflicting this on your security team, you could type just a few more characters and switch to Chainguard Images and make your security team happy again.

Get started with Chainguard Images today on Docker Hub or visit our Images Directory.

Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started