Creating Safer Containerized PHP Runtimes with Wolfi

• trivy

  83 21,388 9.8 Go

  Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

  

The combination of a smaller attack surface and up-to-date, patched packages in Wolfi results in less (always aiming for ZERO) CVEs. This can be demonstrated in the results obtained from Trivy when scanning the most popular PHP images on Docker Hub (with data from March 2, 2023) and comparing them with the Wolfi-based PHP image maintained by Chainguard:

• minicli

  12 1,007 7.4 PHP

  A minimalist framework for command-line applications in PHP

  

Let's create a simple demo app using Minicli, to demonstrate dependency management with Composer. The app will output a random combination of adjective + noun.

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• images

  6 492 9.9 HCL

  Public Chainguard Images (by chainguard-images)

  

In this article, we'll see how to leverage Wolfi to create safer PHP application environments based on containers. To demonstrate Wolfi usage in a Dockerfile workflow (using a Dockerfile to build your image), we'll create an image based on the wolfi-base image maintained by Chainguard. The goal is to have a final runtime image able to execute a PHP command-line script. By definition, this image won't be completely distroless, because it will require APK to be present in order to install system dependencies described in the Dockerfile. For building pure distroless images, you should have a look at apko.

Suggest a related project