liquibase-fips

Dev

Fips

Stig

docker pull reg.mini.dev/liquibase-fips

Dev

Fips

Stig

Updated 3 days ago

docker pull reg.mini.dev/liquibase-fips

Liquibase-FIPS Overview

Secure your stack with a hardened Liquibase-FIPS image freshly-built by Minimus. Minimus images always include the most up-to-date package version for all packages and dependencies contained in the image.

Liquibase is a database schema change management tool. Use it to version, track, and apply migrations to relational databases from CI/CD pipelines or local workflows.

The Minimus image is based on the upstream Liquibase Community edition, licensed under the Functional Source License (FSL), and is intended for development and non-production use only.

FIPS 140-3 Certification

This image is FIPS-validated to ensure its cryptographic operations meet the Federal Information Processing Standards (FIPS) required for secure government and regulated environments. Its core cryptographic modules are validated under the NIST Cryptographic Module Validation Program (CMVP) and comply with the FIPS 140-3 standard.

To verify that the FIPS 140-3 provider is configured and active, follow the instructions in the FIPS compliance tab.

Try It Out

This example runs Liquibase against a Minimus Postgres-FIPS container on a shared Docker network.

Step 1: Start Postgres

Create a network and start Postgres:

docker network create liquibase-test

docker run -d --name liquibase-db --network liquibase-test \
  -e POSTGRES_PASSWORD='MinimusSecure!!' \
  reg.mini.dev/postgres-fips

Wait a few seconds for Postgres to accept connections.

Step 2: Create a Changelog

Create a project directory and save the following as db.changelog-master.yaml:

databaseChangeLog:
  - changeSet:
      id: 1
      author: minimus
      changes:
        - createTable:
            tableName: greeting
            columns:
              - column:
                  name: id
                  type: int
                  autoIncrement: true
                  constraints:
                    primaryKey: true
              - column:
                  name: message
                  type: varchar(255)

Step 3: Apply the Migration

Starting with Liquibase 5.0, database drivers are no longer bundled in the image. To run this setup, keep the following requirements in mind:

Driver Installation - We must install the PostgreSQL driver via LPM and run the update command within the same container execution.
Root Permissions - Because the image runs as non-root by default, the --user root flag is required. This allows the container to read the mounted changelog and gives LPM the permissions needed to install the driver.
FIPS Compliance - The database password must be at least 14 characters (112 bits) long because this is a FIPS-validated image.

docker run --rm \
  --user root \
  --network liquibase-test \
  -v "$PWD":/liquibase/changelog \
  -w /liquibase/changelog \
  --entrypoint sh \
  reg.mini.dev/liquibase-fips \
  -c 'lpm add postgresql --global && liquibase \
    --url=jdbc:postgresql://liquibase-db:5432/postgres \
    --username=postgres \
    --password="MinimusSecure!!" \
    --changeLogFile=db.changelog-master.yaml \
    update'

Liquibase applies any pending changesets and records them in the database changelog tables. For example:

Running Changeset: db.changelog-master.yaml::1::minimus

UPDATE SUMMARY
Run:                          1
Previously run:               0
Filtered out:                 0
-------------------------------
Total change sets:            1

Liquibase: Update has been successful. Rows affected: 0
Liquibase command 'update' was executed successfully.

Step 4: Verify

Confirm the table was created:

docker exec -it liquibase-db psql -U postgres -c "\dt greeting"

You should see the greeting table listed.

Clean Up

Remove the Postgres container from Step 1 (liquibase-db) and the Docker network:

docker rm -f liquibase-db
docker network rm liquibase-test

Technical Considerations

The Liquibase-FIPS image provided by Minimus is a slim, security-hardened alternative to the public image from Docker Hub. The images are largely interchangeable, with a few differences as noted below.

Liquibase-FIPS built by Minimus:

Runs as non-root by default for a security-first approach that protects against privilege escalation attacks.
Liquibase 5.0 and later do not include JDBC drivers by default. Add the driver for your database with Liquibase Package Manager (LPM) before running migrations, for example lpm add postgresql --global.
Drill down on the version specification tab to see the default user, listening ports, entrypoint, volumes, environment variables, etc.

The Payoff

A hardened, minimal image that will remain more secure for the long run and accrue vulnerabilities at a slower rate.

See the risk reduction dashboard for a detailed CVE comparison over the past 30 days.
Review the compliance report to see the default hardening and security configurations for the image.

Terms & Info

Trademark

This catalog is published by Minimus. All product names, logos, and marks, other than those belonging to Minimus, shown are owned by their respective rights holders and appear here only to identify the open source software each image contains. Minimus claims no ownership of those marks and implies no affiliation with, endorsement by, certification by, or sponsorship by any rights holder.

Disclaimer

Images are provided "as-is" without warranty of any kind. "Hardened" refers to the security configuration applied at the time of build and does not constitute a guarantee of ongoing security or absence of vulnerabilities. The free tier is provided without support, SLA, or guaranteed patching timelines. Security updates may be applied to paid subscriptions before or instead of free tier images. By pulling or using any image you agree to our Terms of Use.