static

Runtime · Runtime base · standard · vlatest

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Tiny static base for self-contained binaries (Go, Rust). Nonroot, no shell, no package manager. The only image tagged :latest.

Image

ghcr.io/quenchworks/images/static:latest

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

631.1 KB

SBOM packages

Last rebuilt

2026-04-23

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/static:latest

Or pull it directly

docker pull ghcr.io/quenchworks/images/static:latest

Version line: latest
Latest line: latest
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: MIT

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/static:latest \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/static:latest --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/static:latest --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build a Go or Rust binary → Image source

Best-practice Dockerfile for latest

static is a runtime base you copy a built artifact onto, not something you install into. Here a Go binary is compiled in a build stage and the static image is the final stage that carries it. A Rust musl binary lands the same way.

ghcr.io/quenchworks/images/static:latest 631.1 KB rebuilt 53 days ago 4 SBOM pkgs

1
# Build stage: compile a fully static binary (Go shown; Rust musl is the same idea).
2
FROM ghcr.io/quenchworks/images/go:1.25 AS build
3
USER root
4
WORKDIR /src
5
ENV CGO_ENABLED=0 \
6
    GOOS=linux \
7
    GOCACHE=/tmp/gocache \
8
    GOMODCACHE=/tmp/gomodcache
9

10
COPY go.mod go.sum ./
11
RUN ["go", "mod", "download"]
12
COPY . .
13
RUN ["go", "build", "-trimpath", "-ldflags=-s -w", "-o", "/out/app", "./cmd/app"]
14

15
# This image is the final runtime stage: just the binary, nonroot.
16
FROM ghcr.io/quenchworks/images/static
17
COPY --from=build /out/app /app
18
USER 1001
19
EXPOSE 8080
20
ENTRYPOINT ["/app"]

This Dockerfile is pinned to the latest line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build a Go or Rust binary guide.

Upstream project: https://github.com/wolfi-dev