php 8.4

Runtime · Language runtime · standard · v8.4

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened PHP cli + common extensions. Latest 3 stable (8.3/8.4/8.5).

Version line

8.5 · latest 8.4 8.3

The latest line lives at the base page; older lines have their own page so you can pin and verify exactly that version.

Image

ghcr.io/quenchworks/images/php:8.4

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

49.0 MB

SBOM packages

111

Last rebuilt

2026-06-14

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/php:8.4

Or pull it directly

docker pull ghcr.io/quenchworks/images/php:8.4

Version line: 8.4
Latest line: 8.3, 8.4, 8.5
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: PHP-3.01

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/php:8.4 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/php:8.4 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/php:8.4 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build hardened images → Image source

Best-practice Dockerfile for 8.4

Resolve dependencies with Composer in the build stage, then copy the vendor tree and app onto a clean php base. Composer itself never ships in the runtime image.

ghcr.io/quenchworks/images/php:8.4 49.0 MB rebuilt 1 day ago 111 SBOM pkgs

1
# Build stage: install prod dependencies with Composer.
2
FROM ghcr.io/quenchworks/images/composer:2 AS build
3
USER root
4
WORKDIR /app
5
ENV COMPOSER_CACHE_DIR=/tmp/composer
6

7
COPY composer.json composer.lock ./
8
RUN ["composer", "install", "--no-dev", "--no-scripts", "--prefer-dist", "--no-progress"]
9
COPY . .
10
RUN ["composer", "dump-autoload", "--optimize", "--no-dev"]
11

12
# Runtime stage: copy vendor + app onto a clean php base, run nonroot.
13
FROM ghcr.io/quenchworks/images/php:8.4 AS runtime
14
WORKDIR /app
15
COPY --from=build /app /app
16
USER 1001
17
EXPOSE 8080
18
CMD ["php", "-S", "0.0.0.0:8080", "-t", "public"]

This Dockerfile is pinned to the 8.4 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build hardened images guide.

Upstream project: https://github.com/php/php-src