Minimal

<p align="center"> <img src="assets/logo.svg" alt="Minimal — Hardened Container Images" width="600"> </p> <p align="center"> Production-ready container images with <strong>minimal CVEs</strong>, rebuilt daily using <a href="https://github.com/chainguard-dev/apko">Chainguard's apko</a> and <a href="https://github.com/wolfi-dev">Wolfi</a> packages. </p> <p align="center"> <a href="https://github.com/rtvkiz/minimal/actions/workflows/build.yml"><img src="https://github.com/rtvkiz/minimal/actions/workflows/build.yml/badge.svg" alt="Build Hardened Images"></a> <a href="https://rtvkiz.github.io/minimal/"><img src="https://img.shields.io/badge/Vulnerability_Report-View-0d9488" alt="Vulnerability Report"></a> <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT"></a> <img src="https://img.shields.io/badge/Images-34-0d9488" alt="Images: 34"> <img src="https://img.shields.io/badge/Architectures-amd64%20%7C%20arm64-0d9488" alt="Architectures: amd64 | arm64"> </p> <p align="center"> <strong><a href="https://rtvkiz.github.io/minimal/">rtvkiz.github.io/minimal</a> — live vulnerability report, updated on every build</strong> </p>

---

Why This Matters

Container vulnerabilities are a top attack vector. Most base images ship with dozens of known CVEs that take weeks or months to patch:

Traditional images — debian:latest — 127 CVEs, patched in ~30 days

Minimal images — minimal-python — 0-5 CVEs, patched in <48 hours

Impact:

• Compliance ready — Pass SOC2, FedRAMP, and PCI-DSS security audits
• Reduced attack surface — Minimal, distroless images with only essential packages
• Rapid CVE patching — Fixes within 24-48 hours of disclosure (vs weeks for Debian/Ubuntu)
• Supply chain security — Cryptographically signed images with full SBOM

Available Images

| Image | Pull Command | Shell | Use Case | |-------|--------------|-------|----------| | | | Languages | | | Python | docker pull ghcr.io/rtvkiz/minimal-python:latest | No | Python apps, microservices | | Node.js-slim | docker pull ghcr.io/rtvkiz/minimal-node-slim:latest | No | Node.js apps, JavaScript | | Bun | docker pull ghcr.io/rtvkiz/minimal-bun:latest | No | Fast JavaScript/TypeScript runtime | | Go | docker pull ghcr.io/rtvkiz/minimal-go:latest | No | Go development, CGO builds | | .NET Runtime | docker pull ghcr.io/rtvkiz/minimal-dotnet:latest | No | .NET 10 runtime for apps | | Java | docker pull ghcr.io/rtvkiz/minimal-java:latest | No | OpenJDK 21 JRE for Java apps | | PHP | docker pull ghcr.io/rtvkiz/minimal-php:latest | No | PHP 8.5 CLI (built from source) | | Rails | docker pull ghcr.io/rtvkiz/minimal-rails:latest | No | Ruby 4.0 + Rails 8.1 (built from source) | | | | Web Servers | | | Nginx | docker pull ghcr.io/rtvkiz/minimal-nginx:latest | No | Reverse proxy, static files | | HTTPD | docker pull ghcr.io/rtvkiz/minimal-httpd:latest | Maybe* | Apache web server | | | | Databases | | | MySQL | docker pull ghcr.io/rtvkiz/minimal-mysql:latest | Yes | Relational database, LTS track (8.4.x), built from source | | MariaDB | docker pull ghcr.io/rtvkiz/minimal-mariadb:latest | Yes | MariaDB LTS (11.4.x) built from source, MySQL-compatible | | PostgreSQL-slim | docker pull ghcr.io/rtvkiz/minimal-postgres-slim:latest | No | Relational database | | SQLite | docker pull ghcr.io/rtvkiz/minimal-sqlite:latest | No | Embedded SQL database CLI | | | | Caching | | | Redis-slim | docker pull ghcr.io/rtvkiz/minimal-redis-slim:latest | No | In-memory data store | | Memcached | docker pull ghcr.io/rtvkiz/minimal-memcached:latest | No | In-memory caching (built from source) | | Valkey | docker pull ghcr.io/rtvkiz/minimal-valkey:latest | No | BSD-licensed Redis fork (Linux Foundation), built from source | | | | Messaging | | | Kafka | docker pull ghcr.io/rtvkiz/minimal-kafka:latest | Yes | Apache Kafka 4.x, KRaft mode, custom jlink JRE | | RabbitMQ | docker pull ghcr.io/rtvkiz/minimal-rabbitmq:latest | Yes | RabbitMQ 4.x AMQP broker, Wolfi Erlang OTP runtime | | NATS | docker pull ghcr.io/rtvkiz/minimal-nats:latest | No | NATS Server (nats-server) only — core message broker with JetStream, built from source | | | | Object Storage | | | MinIO | docker pull ghcr.io/rtvkiz/minimal-minio:latest | No | S3-compatible object storage, built from source | | OpenSearch | docker pull ghcr.io/rtvkiz/minimal-opensearch:latest | No* | OpenSearch 2.x — Elasticsearch-compatible search and analytics | | | | Observability | | | Prometheus | docker pull ghcr.io/rtvkiz/minimal-prometheus:latest | No | Metrics collection and alerting, built from source | | Grafana | docker pull ghcr.io/rtvkiz/minimal-grafana:latest | No | Observability platform with dashboards, built from source | | VictoriaMetrics | docker pull ghcr.io/rtvkiz/minimal-victoria-metrics:latest | No | High-performance metrics storage and query engine, built from source | | Jaeger | docker pull ghcr.io/rtvkiz/minimal-jaeger:latest | No | Distributed tracing platform (v2), built from source | | OTel Collector | docker pull ghcr.io/rtvkiz/minimal-otelcol:latest | No | OpenTelemetry Collector core — traces, metrics, logs, built from source | | | | Databases / Search | | | etcd | docker pull ghcr.io/rtvkiz/minimal-etcd:latest | No | Distributed key-value store for Kubernetes and service discovery, built from source | | Qdrant | docker pull ghcr.io/rtvkiz/minimal-qdrant:latest | No | Vector database for AI/ML semantic search, built from source (Rust) | | | | Runtimes | | | Deno | docker pull ghcr.io/rtvkiz/minimal-deno:latest | No | Secure TypeScript/JavaScript runtime (Wolfi package) | | | | Proxies | | | Caddy | docker pull ghcr.io/rtvkiz/minimal-caddy:latest | No | Automatic HTTPS web server | | HAProxy | docker pull ghcr.io/rtvkiz/minimal-haproxy:latest | No | High-performance TCP/HTTP load balancer | | Traefik | docker pull ghcr.io/rtvkiz/minimal-traefik:latest | No | Cloud-native reverse proxy and load balancer, built from source | | | | CI/CD | | | Jenkins | docker pull ghcr.io/rtvkiz/minimal-jenkins:latest | Yes | CI/CD automation |

*HTTPD, Jenkins, Kafka may include shell(sh,busybox) via transitive Wolfi dependencies or KRaft init entrypoint. MySQL includes busybox for its auto-init entrypoint script. OpenSearch includes bash/busybox as transitive dependencies of the opensearch-2 Wolfi package. CI treats shell presence as informational.

The NATS image contains only nats-server (the broker). The NATS ecosystem also includes a separate CLI (natscli) and client libraries — these are not included.

Quick Start

# Python - run your app
docker run --rm -v $(pwd):/app ghcr.io/rtvkiz/minimal-python:latest /app/main.py

# Node.js - run your app
docker run --rm -v $(pwd):/app -w /app ghcr.io/rtvkiz/minimal-node-slim:latest index.js

# Bun - fast JavaScript runtime
docker run --rm ghcr.io/rtvkiz/minimal-bun:latest --version

# Go - build your app
docker run --rm -v $(pwd):/app -w /app ghcr.io/rtvkiz/minimal-go:latest build -o /tmp/app .

# Nginx - reverse proxy
docker run -d -p 8080:80 ghcr.io/rtvkiz/minimal-nginx:latest

# HTTPD - serve static content
docker run -d -p 8080:80 ghcr.io/rtvkiz/minimal-httpd:latest

# Jenkins - CI/CD controller
docker run -d -p 8080:8080 -v jenkins_home:/var/jenkins_home ghcr.io/rtvkiz/minimal-jenkins:latest

# Redis - in-memory data store
docker run -d -p 6379:6379 ghcr.io/rtvkiz/minimal-redis-slim:latest

# MySQL - relational database (LTS)
docker run -d -p 3306:3306 -v mysqldata:/var/lib/mysql ghcr.io/rtvkiz/minimal-mysql:latest

# Memcached - in-memory caching
docker run -d -p 11211:11211 ghcr.io/rtvkiz/minimal-memcached:latest

# PostgreSQL - relational database
docker run -d -p 5432:5432 -v pgdata:/var/lib/postgresql/data ghcr.io/rtvkiz/minimal-postgres-slim:latest

# SQLite - embedded SQL database
docker run --rm -v $(pwd):/data ghcr.io/rtvkiz/minimal-sqlite:latest /data/mydb.sqlite "SELECT sqlite_version();"

# .NET - run your app
docker run --rm -v $(pwd):/app ghcr.io/rtvkiz/minimal-dotnet:latest /app/myapp.dll

# Java - run your app
docker run --rm -v $(pwd):/app ghcr.io/rtvkiz/minimal-java:latest -jar /app/myapp.jar

# PHP - run your app
docker run --rm -v $(pwd):/app ghcr.io/rtvkiz/minimal-php:latest /app/index.php

# Rails - run your app
docker run --rm -v $(pwd):/app ghcr.io/rtvkiz/minimal-rails:latest -e "require 'rails'; puts Rails.version"

# Kafka - start a broker (KRaft mode, auto-initializes storage on first boot)
docker run -d -p 9092:9092 -v kafkadata:/var/kafka/data ghcr.io/rtvkiz/minimal-kafka:latest

# RabbitMQ - AMQP message broker
docker run -d -p 5672:5672 -v rabbitmqdata:/var/lib/rabbitmq ghcr.io/rtvkiz/minimal-rabbitmq:latest

Security Features

| | | | |:--|:--|:--| | Vulnerability scanning — Every build scanned with Grype; results in vulnerability report, job summary, and Security tab | Immutable tags — Chainguard-style VERSION-rN tags for reproducible deployments | Signed images — All images signed with cosign keyless signing | | SBOM generation — Full software bill of materials in SPDX format | Non-root users — All images run as non-root by default | Minimal attack surface — Only essential packages included | | Shell-less images — Most images have no shell | Reproducible builds — Declarative apko configurations | Multi-architecture — Native support for AMD64 and ARM64 |

Image Tags

Every image is published with two tags:

| Tag | Format | Example | Mutable | |-----|------