rust

Runtime · Language runtime · standard · v1.96

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened Rust toolchain (cargo + rustc). Latest 3 stable (1.94/1.95/1.96).

Version line

1.96 · latest 1.95 1.94

The latest line lives at the base page; older lines have their own page so you can pin and verify exactly that version.

Image

ghcr.io/quenchworks/images/rust:1.96

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

385.0 MB

SBOM packages

Last rebuilt

2026-06-14

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/rust:1.96

Or pull it directly

docker pull ghcr.io/quenchworks/images/rust:1.96

Version line: 1.96
Latest line: 1.94, 1.95, 1.96
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: MIT OR Apache-2.0

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/rust:1.96 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/rust:1.96 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/rust:1.96 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build a Go or Rust binary → Image source

Best-practice Dockerfile for 1.96

Compile a release binary against the musl target on the rust image so it links statically, then copy it onto the tiny static base. The Cargo home points at /tmp for the read-only root filesystem.

ghcr.io/quenchworks/images/rust:1.96 385.0 MB rebuilt 1 day ago 60 SBOM pkgs

1
# Build stage: compile a static (musl) release binary.
2
FROM ghcr.io/quenchworks/images/rust:1.96 AS build
3
USER root
4
WORKDIR /src
5
ENV CARGO_HOME=/tmp/cargo
6

7
RUN ["rustup", "target", "add", "x86_64-unknown-linux-musl"]
8
COPY Cargo.toml Cargo.lock ./
9
COPY src ./src
10
RUN ["cargo", "build", "--release", "--target", "x86_64-unknown-linux-musl"]
11

12
# Runtime stage: just the binary on the tiny static base, nonroot.
13
FROM ghcr.io/quenchworks/images/static
14
COPY --from=build /src/target/x86_64-unknown-linux-musl/release/app /app
15
USER 1001
16
EXPOSE 8080
17
ENTRYPOINT ["/app"]

This Dockerfile is pinned to the 1.96 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build a Go or Rust binary guide.

Upstream project: https://github.com/rust-lang/rust