Hardened alpine linux baseimage for Docker.
Note: If you use Golang, build statically and use iron-scratch. If you are using Java/Python/NodeJS/dotnet, use a distroless image instead.
# you can pull a global version (3), a series version (3.13) or a specific version (3.13.2)
docker pull ghcr.io/ironpeakservices/iron-alpine/iron-alpine:3
docker pull ghcr.io/ironpeakservices/iron-alpine/iron-alpine:3.13
docker pull ghcr.io/ironpeakservices/iron-alpine/iron-alpine:3.13.2
- ca-certificates included
- /app for everything app-related; /app/conf, /app/tmp, /app/data
- no interactive shells for users
- removed unneccessary accounts, only 'app' and 'root' users
- removed crontabs
- removed dangerous commands and utilities
- strictened permissions on system files and directories
- removed temporary shadow/passwd/group
- removed suid/guid files
- removed init scripts
- removed kernel tunables
- removed /root/
- removed fstab
- post-install.sh:
- removes apk manager after installation
- sets permissions on /app after installation
docker pull ghcr.io/ironpeakservices/iron-alpine:1.0.0
See the nginx example.
Updates to the official alpine docker image are automatically created as a pull request and trigger linting & a docker build. When those checks complete without errors, a merge into master will trigger a deploy with the same version to packages.
If you want, you can also enable vulnerability scanning during your build (for free). Take a look at https://github.com/aquasecurity/microscanner