Runtimes
24 runtimesHardened base images
These are the base images you build FROM and run on, the QuenchWorks answer to Chainguard's developer images. Every one is nonroot, shell-less, and multi-arch (amd64 + arm64), built from source on Wolfi, scanned to zero fixable CVEs, cosign-signed, and pinned by digest with an SPDX SBOM and a SLSA build-provenance attestation you can verify. 24 available now.
Language runtimes
The interpreter or toolchain for a language, ready to build and run code. Pick the version line you target and pin it.
-
0 CVE bun
Hardened Bun runtime and toolkit for JavaScript and TypeScript. Latest stable (1).
image v1
- 0 CVE
deno
Hardened Deno runtime for JavaScript and TypeScript, secure by default. Latest stable (2).
image v2
- 0 CVE
dotnet
Hardened .NET SDK (build and run). Latest 3 stable, including LTS (8/9/10).
image v8, 9, 10
- 0 CVE
elixir
Hardened Elixir runtime on the BEAM, built on Erlang/OTP. Latest stable (1.18).
image v1.18
- 0 CVE
erlang
Hardened Erlang/OTP runtime on the BEAM. Latest stable lines (27/28/29).
image v27, 28, 29
- 0 CVE
go
Hardened Go toolchain for builds; pair with a minimal base for the runtime. Latest 3 stable (1.24/1.25/1.26).
image v1.24, 1.25, 1.26
- 0 CVE
jdk
Hardened OpenJDK with javac. LTS lines 17/21/25.
image v17, 21, 25
- 0 CVE
node
Hardened Node.js runtime + npm. Active LTS lines (20/22/24).
image v20, 22, 24
- 0 CVE
perl
Hardened Perl interpreter for scripts and tooling. Latest stable (5).
image v5
- 0 CVE
php
Hardened PHP cli + common extensions. Latest 3 stable (8.3/8.4/8.5).
image v8.3, 8.4, 8.5
- 0 CVE
python
Hardened CPython interpreter + pip. A 0-CVE, signed, nonroot base image for Python apps. Latest 3 stable minors (no :latest).
image v3.12, 3.13, 3.14
- 0 CVE
ruby
Hardened Ruby interpreter + bundler. Latest 3 stable (3.2/3.3/3.4).
image v3.2, 3.3, 3.4
- 0 CVE
rust
Hardened Rust toolchain (cargo + rustc). Latest 3 stable (1.94/1.95/1.96).
image v1.94, 1.95, 1.96
Runtime bases
The slim final stage you copy a built app onto. No SDK, no build tools, just enough to run.
- 0 CVE
aspnet
Hardened ASP.NET Core runtime for web apps and APIs. Build on the dotnet image, run here. Lines 8/9/10.
image v8, 9, 10
- 0 CVE
dotnet-runtime
Hardened .NET runtime for console and worker apps, no SDK. Build on the dotnet image, run here. Lines 8/9/10.
image v8, 9, 10
- 0 CVE
jre
Hardened Java runtime (JRE) for running a built jar. Pair it with the jdk, maven, or gradle build image. LTS lines 17/21/25.
image v17, 21, 25
- 0 CVE
static
Tiny static base for self-contained binaries (Go, Rust). Nonroot, no shell, no package manager. The only image tagged :latest.
image vlatest
Build tools
A language base with a package or build tool preinstalled. Use it as the build stage, then run the result on a runtime base.
- 0 CVE
composer
PHP base with the Composer dependency manager. Use it as the build stage for PHP projects. Line 2.
image v2
- 0 CVE
gradle
JDK base with Gradle. Use it as the build stage for Gradle projects, then run the jar on jre. Line 9.
image v9
- 0 CVE
maven
JDK base with Apache Maven. Use it as the build stage for Maven projects, then run the jar on jre. Line 3.9.
image v3.9
- 0 CVE
pnpm
Node base with pnpm preinstalled via corepack. Use it as the build stage for pnpm projects. Lines 10/11.
image v10, 11
- 0 CVE
poetry
Python base with Poetry for dependency management. Use it as the build stage for Python projects. Line 2.
image v2
- 0 CVE
uv
Python base with uv, a fast installer and resolver. Use it as the build stage for Python projects. Line 0.11.
image v0.11
- 0 CVE
yarn
Node base with Yarn preinstalled. Use it as the build stage for Yarn projects. Lines 1 (classic) and 4 (berry).
image v1
Build guides
Each guide shows the multi-stage Dockerfile for its ecosystem, from the build stage to the slim image you ship.