Unchained
Products
Chainguard Images
Reduce your attack surface with hardened container images.
Solutions
Developer
Resources
Company
Contact
Back
Container Image Security
Run hardened container images.
Vulnerability Remediation
Eliminate CVEs daily.
Open Source Software Security
Consume OSS safely.
Compliance & Risk Mitigation
Meet and maintain compliance.
Software Supply Chain Security
Build secure software by default.
Back
Docs
Open source
Back
Unchained blog
Chainguard labs
Customer stories
Events
Security
Education
Back
About
Newsroom
Careers
Chainguard love
Back
About
Newsroom
Careers
Engineering

Subtraction by addition: Leaner images, safer code

Jason Hall, Principal Software Engineer
March 29, 2024
copied

How adding up to 11 characters to your container image name can reduce your image size by 93%, and CVEs by up to 100%

With the addition of Chainguard Images to Docker Hub, it's never been easier to try out smaller, more minimal, hardened Chainguard Images.

Let's dive into some examples:

python

-- CODE language-bash -- - FROM python + FROM chainguard/python

Added characters: 11

Image size: 364 MB → 24 MB (93% smaller)

CVEs: 796 → 0 (100% fewer)

-- CODE language-bash -- $ grype python ✔ Scanned for vulnerabilities [796 vulnerability matches] ├── by severity: 5 critical, 57 high, 150 medium, 32 low, 457 negligible (95 unknown) └── by status: 0 fixed, 796 not-fixed, 0 ignored $ grype chainguard/python ✔ Scanned for vulnerabilities [0 vulnerability matches] ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible └── by status: 0 fixed, 0 not-fixed, 0 ignored

kubectl

There isn't an official kubectl image, but the de facto image folks seem to use is the one provided by Bitnami at bitnami/kubectl.

-- CODE language-bash -- - FROM bitnami/kubectl + FROM chainguard/kubectl

Characters added: 3

Image size: 84 MB → 17 MB (79% smaller)

CVEs: 128 → 0 (100% fewer)

-- CODE language-bash -- $ grype bitnami/kubectl ✔ Scanned for vulnerabilities [128 vulnerability matches] ├── by severity: 1 critical, 12 high, 20 medium, 7 low, 68 negligible (20 unknown) └── by status: 0 fixed, 128 not-fixed, 0 ignored $ grype chainguard/kubectl ✔ Scanned for vulnerabilities [0 vulnerability matches] ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible └── by status: 0 fixed, 0 not-fixed, 0 ignored

openjdk

Note: Despite getting 13 million pulls per week, the official openjdk image is deprecated, and it's recommended that users migrate to a supported image. I've chosen eclipse-temurin entirely at random for this comparison.

-- CODE language-bash -- - FROM eclipse-temurin + FROM chainguard/jdk

Characters added: -1

Image size: 198 MB → 89 MB (55% smaller)

CVEs: 73 → 0 (100% fewer)

-- CODE language-bash -- $ grype eclipse-temurin ✔ Scanned for vulnerabilities [73 vulnerability matches] ├── by severity: 0 critical, 0 high, 18 medium, 39 low, 16 negligible └── by status: 2 fixed, 71 not-fixed, 0 ignored $ grype chainguard/jdk ✔ Scanned for vulnerabilities [0 vulnerability matches] ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible └── by status: 0 fixed, 0 not-fixed, 0 ignored

That's right, in addition to being half the size and short 73 CVEs, Chainguard's Image actually requires one fewer character to type!

golang

-- CODE language-bash -- - FROM golang + FROM chainguard/go

Characters added: 7

Image size: 286 MB → 221 MB (22% smaller)

CVEs: 428 → 0 (100% fewer)

-- CODE language-bash -- $ grype golang ✔ Scanned for vulnerabilities [428 vulnerability matches] ├── by severity: 1 critical, 34 high, 88 medium, 8 low, 226 negligible (71 unknown) └── by status: 0 fixed, 428 not-fixed, 0 ignored $ grype chainguard/go ✔ Scanned for vulnerabilities [0 vulnerability matches] ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible └── by status: 0 fixed, 0 not-fixed, 0 ignored

Even though Chainguard's Go Image isn't dramatically smaller than the official image, it has significantly fewer CVEs. The official image has a number of vulnerabilities in python and libpython, which Chainguard's Image doesn't have at all.

But… why? And why does it matter?

And, how did it get this way?

In each of the above cases, the official images have no fixed vulnerabilities, meaning they're as up-to-date as they'll ever be. This is because the maintainers of the upstream distribution disputes the vulnerability, or doesn't consider the vulnerability severe enough to warrant a fix. If the maintainers don’t care, then why should you?

The main reason you should care about this noise is that it is noise. When your security team is faced with the task of sifting through a spreadsheet of thousands of detected vulnerabilities, it's all too easy to miss one that's a legitimate attack vector. In many organizations, for each of those hundreds of reported CVEs, someone has to do research, understand the issue and the fix (or lack thereof), and understand why it is or isn't an issue. That's toilsome, demoralizing work, and it's time your security team could be spending making your product more secure.

Instead of inflicting this on your security team, you could type just a few more characters and switch to Chainguard Images and make your security team happy again.

Get started with Chainguard Images today on Docker Hub or visit our Images Directory.

Related articles
Engineering
The end of GitHub PATs: You can’t leak what you don’t have
April 11, 2024
Engineering
Building minimal and low CVE images for compiled languages
February 27, 2024
Engineering
Reimagining the Linux distro with Wolfi
February 21, 2024

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.

Get started
Products

Chainguard Images

Solutions

Container Image Security

Vulnerability Remediation

Open Source Software Security

Compliance & Risk Mitigation

Software Supply Chain Security

Developer

Open source

Docs

Resources

Unchained blog

Chainguard Labs

Customer stories

Scanners

Security

Education

Company

About

Newsroom

Careers

Chainguard love

Legal

Contact

Follow

Twitter

GitHub

LinkedIn

TikTok

© 2023 Chainguard, Inc.

Contact
Contact