Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introducing Chainguard Images for Safer PHP Runtimes

Introducing Chainguard Images for Safer PHP Runtimes

In this talk you'll learn about software supply chain security, CVEs, and how to migrate your PHP Dockerfiles to Chainguard Images for safer container runtimes with low to zero CVEs.

Erika Heidi

April 23, 2024

More Decks by Erika Heidi

Other Decks in Programming


  1. Hi, I'm Erika! • Developer Experience Engineer at Chainguard ◦

    Writing docs, tutorials, presentations, demos… • Open Source enthusiast ◦ PHP Developer focused on CLI applications ◦ Author of Minicli, Librarian, Autodocs… • Too many hobbies
  2. What we'll cover today • A Primer on Software Supply

    Chain Security and CVEs • Introducing Chainguard Images • Migrating to (PHP) Chainguard Images • Demo
  3. Software Supply Chain Security • Much like in manufacturing industries,

    the process of creating, building, and delivering software depends on a large chain of dependencies that we call "software supply chain" • A compromise in any point of this chain (whether malicious or unintentional) is an example of software supply chain security issue • Preventive actions include limiting surface for attack and enforcing provenance attestations
  4. • Standing for Common Vulnerabilities and Exposures, CVEs are records

    of publicly disclosed software vulnerabilities • The CVE Program was created in 1999 and has now over 200.000 registered vulnerabilities, with more being added each day • The Common Vulnerability Scoring System (CVSS) provides a framework to classify vulnerabilities by severity (low, medium, high, and critical) • CLI scanners such as Grype and Trivy can be used to scan container images and detect the presence of affected packages • Patching CVEs is a time-draining task due to factors such as false positives and lack of readily-available upstream patches What are CVEs?
  5. Chainguard Images • Minimal, "flat" container images based on Wolfi,

    the Linux undistro built for containers • Includes distroless and builder images • Zero CVEs goal (achieved most of the time) • High quality SBOMs • Cryptographic signatures to attest provenance for every build
  6. 1. Identify the base image you need a. Refer to

    the images directory to identify the image that is the closest match to what you currently use, or start with wolfi-base for a clean canvas. 2. Try the -dev variant of the image first a. Chainguard Images typically have a distroless variant, which is very minimal and doesn’t include apk, and a builder variant that contains tooling necessary to build applications and install new packages. Start with the dev variant or the wolfi-base image to have more room for customization. 3. Identify packages you need to install a. Depending on your current base image, you may need to include additional packages to meet dependencies. 4. Migrate to a distroless image a. Evaluate the option of using a Docker multi-stage build to create a final distroless image containing only what you need. Migration Process in a Nutshell
  7. docker run --rm -v ${PWD}:/work --entrypoint composer --user root \

    cgr.dev/chainguard/php:latest-dev \ install --working-dir=/work PHP Development Running Composer from Host
  8. docker run --rm -v ${PWD}:/work --entrypoint composer --user laravel \

    cgr.dev/chainguard/laravel:latest-dev \ create-project laravel/laravel demo-laravel --working-dir=/work Laravel Development Running Composer from Host (create new app) docker run -p 8000:8000 --rm -it -v ${PWD}:/work \ --entrypoint /work/demo-laravel/artisan --user laravel \ cgr.dev/chainguard/laravel:latest-dev serve --host= Previewing app with Artisan
  9. FROM cgr.dev/chainguard/php:latest-dev AS builder USER root COPY . /app RUN

    cd /app && chown -R php.php /app USER php RUN composer install --no-progress --no-dev --prefer-dist FROM cgr.dev/chainguard/php:latest COPY --from=builder /app /app ENTRYPOINT [ "php", "/app/autodocs" ] Multi-Stage Builds for CLI PHP Applications
  10. FROM cgr.dev/chainguard/php:latest-fpm-dev AS builder USER root COPY . /app RUN

    cd /app && chown -R php.php /app USER php RUN composer install --no-progress --no-dev --prefer-dist FROM cgr.dev/chainguard/php:latest-fpm COPY --from=builder /app /app Multi-Stage Builds for Web PHP Applications
  11. Resources to Learn More • Chainguard Academy • Chainguard Images

    Directory • Migrating to PHP Chainguard Images • Debugging Distroless Images • PHP image docs • Laravel image docs