The Chainguard team has released a new whitepaper titled “All About That Base Image.” The intended audience is software development teams that use containers and are interested in reducing the workload associated with investigating and mitigating security vulnerabilities. The whitepaper helps software professionals better understand the security debt of popular base images by analyzing the number, severity, and lifetime of vulnerabilities.
A base image is the foundational layer that developers use when creating their own container images. If developers don’t choose this image wisely, it can lead to headaches—but more importantly, security risks—down the line. Borrowing on the idea of technical debt, the whitepaper terms any vulnerabilities present in the base image “security debt.”
The whitepaper’s analysis reveals that some popular base images, which have been downloaded billions of times, have substantial security debt: tens or hundreds of reported security vulnerabilities.
Is it possible, though, to have a base image without vulnerabilities? The whitepaper’s results suggest that is! Inspired by the Alpine base image security scan results, the whitepaper proposes the creation of “quiet” base images that offer better security and less burden on software developers and security teams.
“Quiet” base images are minimal images with few or zero reported vulnerabilities and security features such as a software bill of materials and digital signatures built-in, offering a superior alternative to the status quo.
Quiet base images with few or no vulnerabilities and built-in security can:
If you are interested in “quiet” base images, minimal images with few or no security vulnerabilities and other security features built-in, read the All About That Base Image whitepaper and keep following us for related announcements!