Chainguard Creating Safer PHP Runtimes An introduction to Chainguard minimal images for the PHP ecosystem chainguard.dev

Hi, I'm Erika! ● Developer Experience Engineer at Chainguard ○ Writing docs, tutorials, presentations, demos… ● Open Source enthusiast ○ PHP Developer focused on CLI applications ○ Author of Minicli, Librarian, Autodocs… ● Too many hobbies

What we'll cover today ● A Primer on Software Supply Chain Security and CVEs ● Introducing Chainguard Images ● Migrating to (PHP) Chainguard Images ● Demo

A Primer on Software Supply Chain Security and CVEs

Software Supply Chain Security ● Much like in manufacturing industries, the process of creating, building, and delivering software depends on a large chain of dependencies that we call "software supply chain" ● A compromise in any point of this chain (whether malicious or unintentional) is an example of software supply chain security issue ● Preventive actions include limiting surface for attack and enforcing provenance attestations

● Standing for Common Vulnerabilities and Exposures, CVEs are records of publicly disclosed software vulnerabilities ● The CVE Program was created in 1999 and has now over 200.000 registered vulnerabilities, with more being added each day ● The Common Vulnerability Scoring System (CVSS) provides a framework to classify vulnerabilities by severity (low, medium, high, and critical) ● CLI scanners such as Grype and Trivy can be used to scan container images and detect the presence of affected packages ● Patching CVEs is a time-draining task due to factors such as false positives and lack of readily-available upstream patches What are CVEs?

How many is too many?

How long does it take to be fixed? CVE-2024-2961 Last scanned: April 22

How long does it take to be fixed? CVE-2024-2961 Last scanned: April 22

Introducing Chainguard Images Minimal images aiming for zero CVEs

Chainguard Images ● Minimal, "flat" container images based on Wolfi, the Linux undistro built for containers ● Includes distroless and builder images ● Zero CVEs goal (achieved most of the time) ● High quality SBOMs ● Cryptographic signatures to attest provenance for every build

Comparing Images: PHP (Alpine)

CVEs Compared: Alpine vs Chainguard Images

Remember CVE-2024-2961 ? ???

Migrating to Chainguard Images Migrating PHP Dockerfiles to Chainguard Images

1. Identify the base image you need a. Refer to the images directory to identify the image that is the closest match to what you currently use, or start with wolfi-base for a clean canvas. 2. Try the -dev variant of the image first a. Chainguard Images typically have a distroless variant, which is very minimal and doesn’t include apk, and a builder variant that contains tooling necessary to build applications and install new packages. Start with the dev variant or the wolfi-base image to have more room for customization. 3. Identify packages you need to install a. Depending on your current base image, you may need to include additional packages to meet dependencies. 4. Migrate to a distroless image a. Evaluate the option of using a Docker multi-stage build to create a final distroless image containing only what you need. Migration Process in a Nutshell

Migrating from Debian and Ubuntu

Migrating from Red Hat UBI

docker run --rm -v ${PWD}:/work --entrypoint composer --user root \ cgr.dev/chainguard/php:latest-dev \ install --working-dir=/work PHP Development Running Composer from Host

docker run --rm -v ${PWD}:/work --entrypoint composer --user laravel \ cgr.dev/chainguard/laravel:latest-dev \ create-project laravel/laravel demo-laravel --working-dir=/work Laravel Development Running Composer from Host (create new app) docker run -p 8000:8000 --rm -it -v ${PWD}:/work \ --entrypoint /work/demo-laravel/artisan --user laravel \ cgr.dev/chainguard/laravel:latest-dev serve --host=0.0.0.0 Previewing app with Artisan

Using Docker Compose for Development

FROM cgr.dev/chainguard/php:latest-dev AS builder USER root COPY . /app RUN cd /app && chown -R php.php /app USER php RUN composer install --no-progress --no-dev --prefer-dist FROM cgr.dev/chainguard/php:latest COPY --from=builder /app /app ENTRYPOINT [ "php", "/app/autodocs" ] Multi-Stage Builds for CLI PHP Applications

FROM cgr.dev/chainguard/php:latest-fpm-dev AS builder USER root COPY . /app RUN cd /app && chown -R php.php /app USER php RUN composer install --no-progress --no-dev --prefer-dist FROM cgr.dev/chainguard/php:latest-fpm COPY --from=builder /app /app Multi-Stage Builds for Web PHP Applications

Demos

Questions?

Resources to Learn More ● Chainguard Academy ● Chainguard Images Directory ● Migrating to PHP Chainguard Images ● Debugging Distroless Images ● PHP image docs ● Laravel image docs

chainguard.dev | edu.chainguard.dev @chainguard_dev chainguard-dev