dotnet-runtime-fips

Dev

Fips

Stig

docker pull reg.mini.dev/dotnet-runtime-fips

Dev

Fips

Stig

Updated on June 14

docker pull reg.mini.dev/dotnet-runtime-fips

.Net Runtime FIPS Overview

Secure your stack with a hardened, FIPS-validated .Net Runtime image freshly-built by Minimus. Minimus images always include the most up-to-date package version for all packages and dependencies contained in the image.

Use this .Net Runtime FIPS image when you need to meet the requirements for FIPS-validated cryptographic protection.

FIPS 140-3 Certification

This image is FIPS-validated to ensure its cryptographic operations meet the Federal Information Processing Standards (FIPS) required for secure government and regulated environments. Its core cryptographic modules are validated under the NIST Cryptographic Module Validation Program (CMVP) and comply with the FIPS 140-3 standard.

To verify that the FIPS 140-3 provider is configured and active, follow the instructions in the FIPS compliance tab.

Try It Out

First, check the runtime information for the .NET latest image:

docker run --rm reg.mini.dev/dotnet-runtime-fips --list-runtimes

You should expect a similar response for the relevant version:

Microsoft.NETCore.App 10.0.0 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

Build a sample app

For our next test, we will use a multi-stage build using the Minimus .NET Runtime and SDK images to create a simple app that prints a greeting and some OS parameters.

To begin, save the following two files to your project directory:

dotnetapp.csproj is the project file for a sample .NET application. Link to file
Program.cs is the entry point for the sample .NET application. Link to file

Next, in the same project directory, save the code below to a Dockerfile:

# -------- Build Stage --------
FROM reg.mini.dev/dotnet-sdk-fips:latest AS build

# Switch to root for permissions
USER root
RUN mkdir -p /dotnetapp && chown -R 1000:1000 /dotnetapp

# Switch back to non-root user
USER 1000
WORKDIR /dotnetapp

COPY --link --chown=1000:1000 ./dotnetapp.csproj .
COPY --link --chown=1000:1000 ./Program.cs .

RUN dotnet publish \
        --no-self-contained \
        -c Release \
        -o /dotnetapp/dist

# -------- Runtime Stage --------
FROM reg.mini.dev/dotnet-runtime-fips:latest

WORKDIR /dotnetapp

# Copy published app from build stage
COPY --from=build /dotnetapp/dist .

# Set the entrypoint
CMD ["dotnetapp.dll"]

Your project directory should now look like this:

project-root/
├── Dockerfile
├── dotnetapp.csproj
└── Program.cs

Note that the framework in the .csproj file should match the image version you are using. The default currently uses version 10 and framework net10.0.

Next, build and run your .NET app. Note that the period . specifies the current directory as the build context:

docker build -t minimus-dotnet-fips .
docker run minimus-dotnet-fips

You should see the .NET greeting with information about its parameters. For example:

         42                                                    
         42              ,d                             ,d     
         42              42                             42     
 ,adPPYb,42  ,adPPYba, MM42MMM 8b,dPPYba,   ,adPPYba, MM42MMM  
a8"    `Y42 a8"     "8a  42    42P'   `"8a a8P_____42   42     
8b       42 8b       d8  42    42       42 8PP!!!!!!!   42     
"8a,   ,d42 "8a,   ,a8"  42,   42       42 "8b,   ,aa   42,    
 `"8bbdP"Y8  `"YbbdP"'   "Y428 42       42  `"Ybbd8"'   "Y428  

OSArchitecture: X64
OSDescription: MinimOS
FrameworkDescription: .NET 10.0

UserName: app
HostName : 0ae513c51d06

ProcessorCount: 2
TotalAvailableMemoryBytes: 4098605056 (3.82 GiB)
cgroup memory constraint: /sys/fs/cgroup/memory/memory.limit_in_bytes
cgroup memory limit: 9223372036854771712 (8589934592.00 GiB)
cgroup memory usage: 35602432 (33.95 MiB)
GC Hard limit %: 0

Technical Considerations

The .Net Runtime FIPS image provided by Minimus is a FIPS validated, slim, security-hardened alternative to the public image from Docker Hub. The images are largely interchangeable, with a few differences as noted below.

.Net Runtime built by Minimus:

Runs as user app, ID 1000. The public image runs as user app, ID 1654.
Drill down on the version specification tab to see the default user, listening ports, entrypoint, volumes, environment variables, etc.

The Payoff

A hardened, minimal image that will remain more secure for the long run and accrue vulnerabilities at a slower rate.

See the risk reduction dashboard for a detailed CVE comparison over the past 30 days.
Review the compliance report to see the default hardening and security configurations for the image.

Terms & Info

Trademark

This catalog is published by Minimus. All product names, logos, and marks, other than those belonging to Minimus, shown are owned by their respective rights holders and appear here only to identify the open source software each image contains. Minimus claims no ownership of those marks and implies no affiliation with, endorsement by, certification by, or sponsorship by any rights holder.

Disclaimer

Images are provided "as-is" without warranty of any kind. "Hardened" refers to the security configuration applied at the time of build and does not constitute a guarantee of ongoing security or absence of vulnerabilities. The free tier is provided without support, SLA, or guaranteed patching timelines. Security updates may be applied to paid subscriptions before or instead of free tier images. By pulling or using any image you agree to our Terms of Use.