Skip to content

bare-devcontainer/images

Repository files navigation

Bare Dev Container Images

Lint Build Checks Trivy Scan Attestation Checks

Minimal, secure, and bloat-free Dev Container base images for various technology stacks, published to GitHub Container Registry.

Goals

  • Dev Container ready — Each image comes with standard Dev Container configuration pre-applied, so it works out of the box.
  • Minimal attack surface — Each image includes only the packages and configuration required for its target stack. Keeping installed software to a minimum helps reduce the potential vulnerability surface of each development environment.
  • Minimal trusted upstreams — Software is sourced only from the official Debian package archive, Docker Official Images, and the official distribution channels for each language runtime or package manager. Packages are verified using the officially recommended methods for each upstream, such as GPG or minisign.
  • Secure build pipeline — All dependencies are pinned to specific versions and content digests. Published images include SLSA provenance attestations, making the build process verifiable.
  • Regular base updates — Debian base images are updated regularly with Renovate so upstream security patches can be incorporated promptly.

Dev Container base images are available from Microsoft (link), but they are often larger than necessary and include many packages that may not be needed for a given development environment. These images are intended to provide a more minimal alternative.

Available Images

Image Registry Description
bun ghcr.io/bare-devcontainer/bun Bun runtime on Debian
debian ghcr.io/bare-devcontainer/debian Debian base image
golang ghcr.io/bare-devcontainer/golang Go toolchain on Debian
mise ghcr.io/bare-devcontainer/mise mise runtime manager on Debian
node ghcr.io/bare-devcontainer/node Node.js on Debian
rust ghcr.io/bare-devcontainer/rust Rust (via rustup) on Debian
terraform ghcr.io/bare-devcontainer/terraform Terraform CLI on Debian
uv ghcr.io/bare-devcontainer/uv Python (via uv) on Debian
zig ghcr.io/bare-devcontainer/zig Zig toolchain on Debian

See the individual image directories for more details on each image, including available tags and usage instructions.

Getting Started

Tip

Pinning images to a specific digest (e.g. image:tag@sha256:...) is strongly recommended. You can find the digest for a published image on the GitHub Container Registry page, or by running:

docker buildx imagetools inspect ghcr.io/bare-devcontainer/<image>:<tag>

Using a Dev Container Template (Recommended)

The quickest way to get started is to use one of the pre-built templates from the bare-devcontainer/templates repository. These templates provide ready-to-use Dev Container configurations for available images.

Using Directly in devcontainer.json

Reference an image directly in .devcontainer/devcontainer.json:

{
  "image": "ghcr.io/bare-devcontainer/debian:trixie@sha256:<digest>"
}

Using with a Dockerfile

Create a Dockerfile that extends one of the images, then reference it from .devcontainer/devcontainer.json:

FROM ghcr.io/bare-devcontainer/rust:1@sha256:<digest>

# Add your project-specific setup here
RUN cargo install cargo-watch
{
  "build": {
    "dockerfile": "Dockerfile"
  }
}

Using with Docker Compose

Create a compose.yml that references the image, then reference it from .devcontainer/devcontainer.json:

services:
  app:
    image: ghcr.io/bare-devcontainer/golang:1.26@sha256:<digest>
    volumes:
      - ..:/workspaces
    command: sleep infinity
{
  "dockerComposeFile": "compose.yml",
  "service": "app",
  "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}"
}

Verifying Published Images

Before using an image, you can confirm its authenticity and audit its contents using the artifacts published alongside each image. The GitHub artifact attestation lets you verify that the image was built by the official pipeline and has not been tampered with. The build provenance and SBOM embedded in the OCI manifest let you inspect where and how the image was built, and what packages it contains.

GitHub Artifact Attestation

All published images include artifact attestations generated by the build pipeline using actions/attest. You can verify an image using the gh attestation verify command:

gh attestation verify oci://ghcr.io/bare-devcontainer/<image>:<tag>@sha256:<digest> \
  --owner bare-devcontainer

For example:

gh attestation verify oci://ghcr.io/bare-devcontainer/golang:1.26@sha256:<digest> \
  --owner bare-devcontainer

A successful verification confirms that the image was built by the official GitHub Actions workflow in this repository and has not been tampered with.

Build Provenance

Each image also includes a SLSA provenance attestation embedded in the OCI manifest, generated by Docker Buildx. You can inspect it with:

docker buildx imagetools inspect ghcr.io/bare-devcontainer/<image>:<tag>@sha256:<digest> \
  --format '{{json .Provenance}}'

SBOM

A Software Bill of Materials (SBOM) in SPDX format is embedded in the OCI manifest for each image. You can inspect it with:

docker buildx imagetools inspect ghcr.io/bare-devcontainer/<image>:<tag>@sha256:<digest> \
  --format '{{json .SBOM}}'

License

MIT

About

Minimal, secure, and bloat-free Dev Container base images for various technology stacks.

Topics

Resources

License

Security policy

Stars

2 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors