Subtraction by addition: Leaner images, safer code
How adding up to 11 characters to your container image name can reduce your image size by 93%, and CVEs by up to 100%
With the addition of Chainguard Images to Docker Hub, it's never been easier to try out smaller, more minimal, hardened Chainguard Images.
Let's dive into some examples:
python
- FROM python
+ FROM chainguard/python
Added characters: 11
Image size: 364 MB → 24 MB (93% smaller)
CVEs: 796 → 0 (100% fewer)
$ grype python
✔ Scanned for vulnerabilities [796 vulnerability matches]
├── by severity: 5 critical, 57 high, 150 medium, 32 low, 457 negligible (95 unknown)
└── by status: 0 fixed, 796 not-fixed, 0 ignored
$ grype chainguard/python
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
kubectl
There isn't an official kubectl image, but the de facto image folks seem to use is the one provided by Bitnami at bitnami/kubectl.
- FROM bitnami/kubectl
+ FROM chainguard/kubectl
Characters added: 3
Image size: 84 MB → 17 MB (79% smaller)
CVEs: 128 → 0 (100% fewer)
$ grype bitnami/kubectl
✔ Scanned for vulnerabilities [128 vulnerability matches]
├── by severity: 1 critical, 12 high, 20 medium, 7 low, 68 negligible (20 unknown)
└── by status: 0 fixed, 128 not-fixed, 0 ignored
$ grype chainguard/kubectl
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
openjdk
Note: Despite getting 13 million pulls per week, the official openjdkimage is deprecated, and it's recommended that users migrate to a supported image. I've chosen eclipse-temurinentirely at random for this comparison.
- FROM eclipse-temurin
+ FROM chainguard/jdk
Characters added: -1
Image size: 198 MB → 89 MB (55% smaller)
CVEs: 73 → 0 (100% fewer)
$ grype eclipse-temurin
✔ Scanned for vulnerabilities [73 vulnerability matches]
├── by severity: 0 critical, 0 high, 18 medium, 39 low, 16 negligible
└── by status: 2 fixed, 71 not-fixed, 0 ignored
$ grype chainguard/jdk
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
That's right, in addition to being half the size and short 73 CVEs, Chainguard's Image actually requires one fewer character to type!
golang
- FROM golang
+ FROM chainguard/go
Characters added: 7
Image size: 286 MB → 221 MB (22% smaller)
CVEs: 428 → 0 (100% fewer)
$ grype golang
✔ Scanned for vulnerabilities [428 vulnerability matches]
├── by severity: 1 critical, 34 high, 88 medium, 8 low, 226 negligible (71 unknown)
└── by status: 0 fixed, 428 not-fixed, 0 ignored
$ grype chainguard/go
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
But… why? And why does it matter?
And, how did it get this way?
In each of the above cases, the official images have no fixed vulnerabilities, meaning they're as up-to-date as they'll ever be. This is because the maintainers of the upstream distribution disputes the vulnerability, or doesn't consider the vulnerability severe enough to warrant a fix. If the maintainers don’t care, then why should you?
The main reason you should care about this noise is that it is noise. When your security team is faced with the task of sifting through a spreadsheet of thousands of detected vulnerabilities, it's all too easy to miss one that's a legitimate attack vector. In many organizations, for each of those hundreds of reported CVEs, someone has to do research, understand the issue and the fix (or lack thereof), and understand why it is or isn't an issue. That's toilsome, demoralizing work, and it's time your security team could be spending making your product more secure.
Instead of inflicting this on your security team, you could type just a few more characters and switch to Chainguard Images and make your security team happy again.
Get started with Chainguard Images today on Docker Hub or visit our Images Directory.
Share this article
Related articles
- engineering
Building the business case for a secure open source supply chain
Adeel Saeed, SVP, CTO, Global Cyber Resilience and Technology Strategy and Execution, Kyndryl
- engineering
How we automatically test the world's most secure Linux distribution
Dustin Kirkland, SVP of Engineering
- engineering
Securing the next Moon Age: Automated compliance powers the next giant leap
Collin Estes, Technical Director - NASA's Mission Enabling Services Contract, MRI Technologies
- engineering
Managing third-party images at scale
Abdullah Munawar, Director of Product Security, Appian
- engineering
Ship and patch doesn't cut it in the AI era
Dan Lorenc, Co-founder and CEO
- engineering
Removing supply chain friction: How PeopleTec improved developer productivity with Chainguard
Brandon Heard, Technical Leader, Cloud and Infrastructure, PeopleTec