This image is configured to run as a non-root user by default. Run on the image to verify the default user.

All Minimus images are based on our internally maintained distroless operating system, MinimOS. Minimus builds and verifies all components included in the image, including core libraries, certificates, and language runtimes.

Minimus production images are based on a distroless approach which includes only the essential components required for the specific application to run. For example: the application binary and core runtime libraries (e.g., glibc). In keeping with the distroless approach, package managers, debugging tools and other tools are excluded. Shells are only included if they are required and the image cannot operate without them.

Minimus scans images multiple times a day and provides a current vulnerabilities report directly in the Minimus console. New versions of images are continuously built to incorporate security patches as detailed in our SLA(ref). Minimus builds packages directly from source automatically, whenever there is a new version upstream to ensure that all image components are up-to-date. Minimus releases updated images daily, whenever an image has packages that can be updated.

All Minimus images and image SBOMs are cryptographically signed and verified and can be used with Docker Content Trust (DCT). Signature verification commands are provided for every image in the Minimus console.

Minimus chose to exclude HEALTHCHECK from its images for the following reasons: Tools for centralized health and lifecycle management of containers offer more flexible probes that have replaced the need for a static Dockerfile-level HEALTHCHECK. For example, Kubernetes liveness and readiness probes. Excluding HEALTHCHECK also helps to reduce image complexity in keeping with the distroless approach. HEALTHCHECK often requires a shell, curl, or additional scripts/tools which violate the distroless principle of reducing the attack surface by removing unnecessary packages (per CIS 4.3).

Minimus images are built as a single layer by the Minimus service(ref). Minimus service tooling does not make use of update instructions in the build process. Furthermore, Minimus production images do not contain package managers and would therefore not be affected by the update instruction.

All executables in the Minimus image run with the privileges of the executing user, not the file owner or group.

Minimus images are built as single layer artifacts not using Dockerfiles.

Minimus images are built directly from source and include no secrets of any kind. No passwords, GitHub tokens, x.509 keys, or any other secrets are stored in Minimus images.

Minimus validates the authenticity of third party source code as part of its artifact-fetching mechanisms by checking the Git commit hash or the content hash directly. Furthermore, Minimus builds all packages and images directly from upstream source(ref)using secure compilation options(ref).

Minimus ensures that only verified packages are included in its images. All packages used by Minimus images are built for MinimOS, the Minimus distroless operating system. The Minimus service builds all these images directly from source(ref)and signs all of its packages using a private signing key. During the image build step, Minimus passes the corresponding public key to the image builder to verify the authenticity of every package. Together, this ensures that images and image SBOMs signed by Minimus are fully verified.