Minimal Hardened Image for Backstage
DockerHub images in general did not seem ideal for Backstage as the number of vulnerabilities were quite high regardless of the image used.
The Dockerfile in this directory uses a wolfi-base image from Chainguard Images. This improves the security of the application and reduces false positives in scanners.
Steps taken
When converting, I utilized the upstream Dockerfile as a starting point.
- Multi-stage build - The Dockerfile has been split up into a multistage build which reduces the files, packages, executables, and directories in the final image.
- Size savings = ~900mb
- Reduced attack surface
- Base Image - Swap to wolfi-base image from Chainguard Images
- Vulnerability Savings = ~239 at the time of updating this README
- Entrypoint - Swap from
nodetotinias entrypoint to ensure that the default signal handlers work and zombie processes are handled properly - Use
ADDinstead ofCOPYin dockerfile to reduce copied compressed files- When a
rmis used to remove a compressed file it still makes its way into the final image. UsingADDis safe with local files.
- When a
Pinning Digest
To reduce maintenance, the digest of the image has been removed from the ./Dockerfile file. A complete example with the digest would be cgr.dev/chainguard/wolfi-base:latest@sha256:3d6dece13cdb5546cd03b20e14f9af354bc1a56ab5a7b47dca3e6c1557211fcf and it is suggested to update the FROM line in the Dockerfile to use a digest.
Using the digest allows tools such as Dependabot or Renovate to know exactly which image digest is being utilized and allows for Pull Requests to be triggered when a new digest is available. It is suggested to setup Dependabot/Renovate or a similar tool to ensure the image is kept up to date so that vulnerability fixes that have been addressed are pulled in frequently.
Obtaining Digest
To obtain the latest digest, perform a docker pull on the image to get the latest digest in the command output or use crane digest <image>.
Considerations
- Wolfi only releases the
latesttag for public consumption however digests can be pinned. - Wolfi OS uses packages from the os repository on GitHub.
- Some packages may be named differently.
- While Wolfi uses
apk, the OS is designed to supportglibc. - Due to the stripped down nature of the base image, additional packages might be needed compared to a distribution like Debian or Ubuntu.
- Chainguard will maintain one version of each Wolfi package at a time, which will track the latest version of the upstream software in the package. Chainguard will end patch support for previous versions of packages in Wolfi. Read more here
- It is encouraged to use a relative pin or use a third-party tool to ensure the packages are kept up to date