Files
backstage/contrib/docker/minimal-hardened-image

Minimal Hardened Image for Backstage

DockerHub images in general did not seem ideal for Backstage as the number of vulnerabilities were quite high regardless of the image used.

The Dockerfile in this directory uses a wolfi-base image from Chainguard Images. This improves the security of the application and reduces false positives in scanners.

Steps taken

When converting, I utilized the upstream Dockerfile as a starting point.

  • Multi-stage build - The Dockerfile has been split up into a multistage build which reduces the files, packages, executables, and directories in the final image.
    • Size savings = ~900mb
    • Reduced attack surface
  • Base Image - Swap to wolfi-base image from Chainguard Images
    • Vulnerability Savings = ~239 at the time of updating this README
  • Entrypoint - Swap from node to tini as entrypoint to ensure that the default signal handlers work and zombie processes are handled properly
  • Use ADD instead of COPY in dockerfile to reduce copied compressed files
    • When a rm is used to remove a compressed file it still makes its way into the final image. Using ADD is safe with local files.

Pinning Digest

To reduce maintenance, the digest of the image has been removed from the ./Dockerfile file. A complete example with the digest would be cgr.dev/chainguard/wolfi-base:latest@sha256:3d6dece13cdb5546cd03b20e14f9af354bc1a56ab5a7b47dca3e6c1557211fcf and it is suggested to update the FROM line in the Dockerfile to use a digest.

Using the digest allows tools such as Dependabot or Renovate to know exactly which image digest is being utilized and allows for Pull Requests to be triggered when a new digest is available. It is suggested to setup Dependabot/Renovate or a similar tool to ensure the image is kept up to date so that vulnerability fixes that have been addressed are pulled in frequently.

Obtaining Digest

To obtain the latest digest, perform a docker pull on the image to get the latest digest in the command output or use crane digest <image>.

Considerations

  • Wolfi only releases the latest tag for public consumption however digests can be pinned.
  • Wolfi OS uses packages from the os repository on GitHub.
    • Some packages may be named differently.
  • While Wolfi uses apk, the OS is designed to support glibc.
  • Due to the stripped down nature of the base image, additional packages might be needed compared to a distribution like Debian or Ubuntu.
  • Chainguard will maintain one version of each Wolfi package at a time, which will track the latest version of the upstream software in the package. Chainguard will end patch support for previous versions of packages in Wolfi. Read more here
    • It is encouraged to use a relative pin or use a third-party tool to ensure the packages are kept up to date