deno

Runtime · Language runtime · standard · v2

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened Deno runtime for JavaScript and TypeScript, secure by default. Latest stable (2).

Image

ghcr.io/quenchworks/images/deno:2

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

57.6 MB

SBOM packages

781

Last rebuilt

2026-06-03

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/deno:2

Or pull it directly

docker pull ghcr.io/quenchworks/images/deno:2

Version line: 2
Latest line: 2
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: MIT

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/deno:2 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/deno:2 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/deno:2 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build a Node app → Image source

Best-practice Dockerfile for 2

Cache dependencies into a vendored, read-only-friendly cache in the build stage, then copy that cache and the app onto a clean deno base. The runtime DENO_DIR lives under /tmp.

ghcr.io/quenchworks/images/deno:2 57.6 MB rebuilt 12 days ago 781 SBOM pkgs

1
# Build stage: cache deps into a fixed DENO_DIR, then compile checks.
2
FROM ghcr.io/quenchworks/images/deno:2 AS build
3
USER root
4
WORKDIR /app
5
ENV DENO_DIR=/deno-dir
6

7
COPY deno.json deno.lock ./
8
RUN ["deno", "install", "--frozen"]
9
COPY . .
10
RUN ["deno", "cache", "main.ts"]
11

12
# Runtime stage: copy the cache + app onto a clean deno base, run nonroot.
13
FROM ghcr.io/quenchworks/images/deno:2 AS runtime
14
WORKDIR /app
15
ENV DENO_DIR=/tmp/deno
16
COPY --from=build /deno-dir /tmp/deno
17
COPY --from=build /app /app
18
USER 1001
19
EXPOSE 8000
20
CMD ["deno", "run", "--allow-net", "--cached-only", "main.ts"]

This Dockerfile is pinned to the 2 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build a Node app guide.

Upstream project: https://github.com/denoland/deno