Minimal: Hardened Container Images
A collection of production-ready container images with minimal CVEs, rebuilt daily using Chainguard's apko and Wolfi packages. By including only required packages, these images maintain a reduced attack surface and typically have zero or near-zero known vulnerabilities.
Available Images
Image Pull Command Shell Use Case Python docker pull ghcr.io/rtvkiz/minimal-python:latest No Python apps, microservices Node.js docker pull ghcr.io/rtvkiz/minimal-node:latest Yes Node.js apps, JavaScript Bun docker pull ghcr.io/rtvkiz/minimal-bun:latest No Fast JavaScript/TypeScript runtime Go docker pull ghcr.io/rtvkiz/minimal-go:latest No Go development, CGO builds Nginx docker pull ghcr.io/rtvkiz/minimal-nginx:latest No Reverse proxy, static files HTTPD docker pull ghcr.io/rtvkiz/minimal-httpd:latest Maybe* Apache web server Jenkins docker pull ghcr.io/rtvkiz/minimal-jenkins:latest Yes CI/CD automation Redis-slim docker pull ghcr.io/rtvkiz/minimal-redis-slim:latest No In-memory data store PostgreSQL-slim docker pull ghcr.io/rtvkiz/minimal-postgres-slim:latest No Relational database
*HTTPD, Jenkins,Node.js may include shell(sh,busybox) via transitive Wolfi dependencies. CI treats shell presence as informational.
Why This Matters
Container vulnerabilities are a top attack vector. Most base images ship with dozens of known CVEs that take weeks or months to patch:
Traditional images: Your containers: ┌──────────────────┐ ┌──────────────────┐ │ debian:latest │ │ minimal-python │ │ 127 CVEs │ │ 0-5 CVEs │ │ Patched: ~30 days│ │ Patched: <48 hrs │ └──────────────────┘ └──────────────────┘
Impact:
Pass security audits and compliance requirements (SOC2, FedRAMP, PCI-DSS)
... continue reading