Chainguard Image now available for Zig

The Zig programming language is rapidly rising in popularity as a general-purpose language with a focus on building safe and performant software. It emphasizes memory safety, performance, and clarity, aiming to provide a modern alternative to languages like C and C++. Zig offers features such as compile-time execution, zero-cost abstractions, and an expressive syntax, making it suitable for a wide range of applications from system programming to high-level application development.

‍

In Wolfi, we build everything from source ourselves, including a fully bootstrapped toolchain. We’ve shipped code based on Zig for months now, which means we’ve also had a bootstrapped Zig package for some time. While it’s true that Zig is great at compiling code into portable runtimes, making containers slightly less necessary, it can still be useful to run Zig itself in a container in CI/CD systems, or to run Zig programs in containerized environments if you’re already using them for other applications.

‍

There aren’t any maintained alternative Zig images available, so we decided to create a new Chainguard Image based on our existing Zig package.

‍

Getting started

‍

You can get started using the Chainguard Zig Image by creating a Zig application and running it. Here’s a quickstart guide:

# docker run -it –entrypoint=sh cgr.dev/chainguard/zig
/app # zig init-exe
info: Created build.zig
info: Created src/main.zig
info: Next, try `zig build --help` or `zig build run`
/app # zig build run
All your codebase are belong to us.
Run `zig build test` to run the tests.

For a more production-ready Docker image, you should use a multi-stage Docker build, like this:

FROM cgr.dev/chainguard/zig:latest as builder
WORKDIR /app
COPY . /app
RUN zig build

FROM cgr.dev/chainguard/static
COPY --from=builder /app/zig-out/bin/app /usr/local/bin/app
CMD ["/usr/local/bin/app"]

Now for the final trick – WebAssembly (WASM). WASM has been popular in the browser space for awhile, but recently it has started to emerge on the server-side as well. WASM enables portable, safe, and high-performing server applications written in a variety of languages. Zig, being a systems programming language with a focus on performance, safety, and low-level control, is well-suited for developing server-side WASM applications. Its ability to interface with C and its support for low-level operations make Zig a powerful choice for leveraging the benefits of server-side WASM in building fast and secure web services.

‍

Docker recently added support for running WASM workloads, so our Zig toolchain Image is a great fit for this use case. To run Zig as WASM inside Docker, try out this Dockerfile:

# syntax=docker/dockerfile:1
FROM cgr.dev/chainguard/zig:latest as wasm-builder
WORKDIR /app
COPY . /app
RUN zig build-exe src/main.zig -target wasm32-wasi

FROM scratch
COPY --from=wasm-builder /app/main.wasm /main.wasm
ENTRYPOINT [ "/main.wasm" ]

Then build and run it in a WASM runtime:

$ docker build . -f Dockerfile.wasm -t mywasmapp:latest
$ docker run --runtime=io.containerd.wasmedge.v1 docker.io/library/mywasmapp:latest
All your codebase are belong to us.
Run `zig build test` to run the tests.

As we were working on our Zig Image, we found there aren’t any existing Zig images available. Comparisons are irrelevant in this case, but our stats for the Zig Image are 96MB (size), and of course comes with zero-known CVEs.

‍

Zig (and WASM) are fairly new images and ecosystems, so if you use this we’d love feedback and are open to making changes to the Image to make it work better for your use cases or easier to use.

‍

As always, the binaries in our Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

‍

$ cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/zig

If you want to use container images with more security built in by default, start using Chainguard’s Zig Image today at github.com/chainguard-images, or get started with our Zig Image using documentation in Chainguard Academy. Chainguard Images are now available for Apache, Bazel, curl, Git, Go, Jenkins, Postgres, Pulumi, Python, Ruby and more. We currently offer our public Chainguard Images catalog at no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom catalog tiers. Contact our team to learn more.

‍

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit an issue, you can reach out to us directly or file it here.

‍

Update on our public Chainguard Images catalog: On August 16, 2023, we made changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Chainguard Images catalog.