How adding up to 11 characters to your container image name can reduce your image size by 93%, and CVEs by up to 100%
With the addition of Chainguard Images to Docker Hub, it's never been easier to try out smaller, more minimal, hardened Chainguard Images.
Let's dive into some examples:
python
Added characters: 11
Image size: 364 MB → 24 MB (93% smaller)
CVEs: 796 → 0 (100% fewer)
kubectl
Characters added: 3
Image size: 84 MB → 17 MB (79% smaller)
CVEs: 128 → 0 (100% fewer)
openjdk
Characters added: -1
Image size: 198 MB → 89 MB (55% smaller)
CVEs: 73 → 0 (100% fewer)
That's right, in addition to being half the size and short 73 CVEs, Chainguard's Image actually requires one fewer character to type!
golang
Characters added: 7
Image size: 286 MB → 221 MB (22% smaller)
CVEs: 428 → 0 (100% fewer)
Even though Chainguard's Go Image isn't dramatically smaller than the official image, it has significantly fewer CVEs. The official image has a number of vulnerabilities in python and libpython, which Chainguard's Image doesn't have at all.
But… why? And why does it matter?
And, how did it get this way?
In each of the above cases, the official images have no fixed vulnerabilities, meaning they're as up-to-date as they'll ever be. This is because the maintainers of the upstream distribution disputes the vulnerability, or doesn't consider the vulnerability severe enough to warrant a fix. If the maintainers don’t care, then why should you?
The main reason you should care about this noise is that it is noise. When your security team is faced with the task of sifting through a spreadsheet of thousands of detected vulnerabilities, it's all too easy to miss one that's a legitimate attack vector. In many organizations, for each of those hundreds of reported CVEs, someone has to do research, understand the issue and the fix (or lack thereof), and understand why it is or isn't an issue. That's toilsome, demoralizing work, and it's time your security team could be spending making your product more secure.
Instead of inflicting this on your security team, you could type just a few more characters and switch to Chainguard Images and make your security team happy again.
Get started with Chainguard Images today on Docker Hub or visit our Images Directory.