python 3.13

Runtime · Language runtime · standard · v3.13

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened CPython interpreter + pip. A 0-CVE, signed, nonroot base image for Python apps. Latest 3 stable minors (no :latest).

Version line

3.14 · latest 3.13 3.12

The latest line lives at the base page; older lines have their own page so you can pin and verify exactly that version.

Image

ghcr.io/quenchworks/images/python:3.13

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

30.7 MB

SBOM packages

Last rebuilt

2026-06-14

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/python:3.13

Or pull it directly

docker pull ghcr.io/quenchworks/images/python:3.13

Version line: 3.13
Latest line: 3.12, 3.13, 3.14
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: PSF-2.0

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/python:3.13 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/python:3.13 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/python:3.13 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build a Python app → Image source

Best-practice Dockerfile for 3.13

Build a self-contained virtualenv with the full build toolchain in the first stage, then copy just that venv onto a clean python base for the runtime. Compilers and headers never reach the deployed image.

ghcr.io/quenchworks/images/python:3.13 30.7 MB rebuilt 1 day ago 42 SBOM pkgs

1
# Build stage: install everything into a venv (build deps included).
2
FROM ghcr.io/quenchworks/images/python:3.13 AS build
3
USER root
4
WORKDIR /app
5
ENV VIRTUAL_ENV=/opt/venv \
6
    PATH="/opt/venv/bin:$PATH" \
7
    PIP_CACHE_DIR=/tmp/pip
8

9
RUN ["python", "-m", "venv", "/opt/venv"]
10
COPY requirements.txt ./
11
RUN ["pip", "install", "--no-cache-dir", "-r", "requirements.txt"]
12
COPY . .
13

14
# Runtime stage: copy the venv + app onto a clean python base, run nonroot.
15
FROM ghcr.io/quenchworks/images/python:3.13 AS runtime
16
WORKDIR /app
17
ENV VIRTUAL_ENV=/opt/venv \
18
    PATH="/opt/venv/bin:$PATH" \
19
    PYTHONUNBUFFERED=1 \
20
    XDG_CACHE_HOME=/tmp
21
COPY --from=build /opt/venv /opt/venv
22
COPY --from=build /app /app
23
USER 1001
24
EXPOSE 8000
25
CMD ["python", "-m", "app"]

This Dockerfile is pinned to the 3.13 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build a Python app guide.

Upstream project: https://www.python.org