This project is dedicated to building a suite of secure, minimal, and multi-architecture base container images. These images serve as a standardized foundation for developing and deploying other containerized applications, ensuring consistency and security from the ground up.
- Multi-arch support: linux/amd64 and linux/arm64
- Variant-based images: minimal, base, jdk (standard), full
- Security: Trivy scanning integrated in CI, Mozilla CA certificates
- Automated updates: Update checker for all components
- Reproducible builds: Version-pinned dependencies with signature verification
- OCI labels: Full metadata labeling for compliance and tooling integration
At the moment, the images themselves are available for download from a GAR hosted by Digital Asset, e.g. using:
docker pull europe-docker.pkg.dev/da-images/public/docker/da-base-image:full-1.0.7
We will soon migrate the build pipeline to this repository, and push the images to a GHCR repository attached to it.
Install the following dependencies:
sudo apt install gawk bison
sudo apt install build-essential
sudo apt install linux-headers-generic
sudo apt-get install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
sudo apt-get install gcc-x86-64-linux-gnu g++-x86-64-linux-gnu
sudo apt-get install openssl # Required for CA certificate hash generation- Variants - Overview of image variants
- Testing - Functional test framework
- CA Certificates - Certificate management
- Image Labels - Label annotations and metadata
- Trivy Scanning - Security scanning
This repository uses GitHub Actions to automate the build, test, and release process. The workflow is defined in .github/workflows/build-images.yml.
On every push to the main and release-line* branches, the workflow will:
- Build all image variants for both
amd64andarm64architectures. - Run a suite of tests against the newly built images.
- Scan the images for vulnerabilities using Trivy.
This process ensures that the codebase is always in a buildable and tested state, but it does not push the images to a public registry or create a release.
To create a new public release, you must create and push a Git tag with a version number prefixed by v (e.g., v1.2.3).
- Create a tag:
git tag v1.2.3
- Push the tag:
git push origin v1.2.3
Pushing a tag will trigger the full release workflow, which includes:
- Building and testing all image variants.
- Pushing the images to the Google Artifact Registry.
- Cryptographically signing the images.
- Creating a new GitHub Release with the corresponding version number.
The workflow currently targets Google Artifact Registry (GAR). The images are pushed to the following locations:
- Production:
europe-docker.pkg.dev/da-images/public/docker/da-base-image:<variant>-<version> - Beta:
europe-docker.pkg.dev/da-images/private-unstable/docker/da-base-image:<variant>-<version>
The specific registry used depends on whether the build is a production (from a tag on release-line) or beta (from a push to main) build.
This repo integrates Trivy to scan the built images for HIGH/CRITICAL vulnerabilities and publishes results to GitHub Code Scanning.
- In the build workflow (
.github/workflows/build-images.yml), scans run automatically after images are built. - A standalone workflow (
.github/workflows/scan-images.yml) lets you scan the rolling or a specific date tag on-demand.
- Go to GitHub → Actions → “Scan Images with Trivy” → Run workflow
- Inputs:
variants: e.g.,minimal,base,jdk,fulltag: optional date suffix to scan a specific build (e.g.,20251106). Empty uses the rolling tag.fail_on_severity: optional, set toHIGH,CRITICALto fail the run if findings are present.upload_sarif: optional, set totrueto publish results to Code Scanning.
Results:
- SARIF is available under the repository’s “Security → Code scanning alerts”.
- Text reports are attached to the workflow run as artifacts.
Copyright canton-base-images contributors. All rights reserved.