dotnet 8

Runtime · Language runtime · standard · v8

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened .NET SDK (build and run). Latest 3 stable, including LTS (8/9/10).

Version line

10 · latest 9 8

The latest line lives at the base page; older lines have their own page so you can pin and verify exactly that version.

Image

ghcr.io/quenchworks/images/dotnet:8

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

219.8 MB

SBOM packages

1514

Last rebuilt

2026-06-11

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/dotnet:8

Or pull it directly

docker pull ghcr.io/quenchworks/images/dotnet:8

Version line: 8
Latest line: 8, 9, 10
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: MIT

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/dotnet:8 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/dotnet:8 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/dotnet:8 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build a .NET app → Image source

Best-practice Dockerfile for 8

Restore and dotnet publish in Release with the full SDK, then run the published output on the aspnet base for web apps. The SDK and the NuGet cache stay in the build stage.

ghcr.io/quenchworks/images/dotnet:8 219.8 MB rebuilt 4 days ago 1514 SBOM pkgs

1
# Build stage: restore, then publish the app.
2
FROM ghcr.io/quenchworks/images/dotnet:8 AS build
3
USER root
4
WORKDIR /src
5
ENV NUGET_PACKAGES=/tmp/nuget \
6
    DOTNET_CLI_TELEMETRY_OPTOUT=1
7

8
COPY ["App.csproj", "./"]
9
RUN ["dotnet", "restore", "App.csproj"]
10
COPY . .
11
RUN ["dotnet", "publish", "App.csproj", "-c", "Release", "-o", "/app/publish", "--no-restore"]
12

13
# Runtime stage: ASP.NET Core runtime, nonroot.
14
FROM ghcr.io/quenchworks/images/aspnet:8 AS runtime
15
WORKDIR /app
16
ENV ASPNETCORE_URLS=http://+:8080 \
17
    DOTNET_CLI_TELEMETRY_OPTOUT=1
18
COPY --from=build /app/publish ./
19
USER 1001
20
EXPOSE 8080
21
ENTRYPOINT ["dotnet", "App.dll"]

This Dockerfile is pinned to the 8 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build a .NET app guide.

Upstream project: https://github.com/dotnet/runtime