Minimal, secure, and bloat-free Dev Container base images for various technology stacks, published to GitHub Container Registry.
- Dev Container ready — Each image comes with standard Dev Container configuration pre-applied, so it works out of the box.
- Minimal attack surface — Each image includes only the packages and configuration required for its target stack. Keeping installed software to a minimum helps reduce the potential vulnerability surface of each development environment.
- Minimal trusted upstreams — Software is sourced only from the official Debian package archive, Docker Official Images, and the official distribution channels for each language runtime or package manager. Packages are verified using the officially recommended methods for each upstream, such as GPG or minisign.
- Secure build pipeline — All dependencies are pinned to specific versions and content digests. Published images include SLSA provenance attestations, making the build process verifiable.
- Regular base updates — Debian base images are updated regularly with Renovate so upstream security patches can be incorporated promptly.
Dev Container base images are available from Microsoft (link), but they are often larger than necessary and include many packages that may not be needed for a given development environment. These images are intended to provide a more minimal alternative.
| Image | Registry | Description |
|---|---|---|
| bun | ghcr.io/bare-devcontainer/bun |
Bun runtime on Debian |
| debian | ghcr.io/bare-devcontainer/debian |
Debian base image |
| golang | ghcr.io/bare-devcontainer/golang |
Go toolchain on Debian |
| mise | ghcr.io/bare-devcontainer/mise |
mise runtime manager on Debian |
| node | ghcr.io/bare-devcontainer/node |
Node.js on Debian |
| rust | ghcr.io/bare-devcontainer/rust |
Rust (via rustup) on Debian |
| terraform | ghcr.io/bare-devcontainer/terraform |
Terraform CLI on Debian |
| uv | ghcr.io/bare-devcontainer/uv |
Python (via uv) on Debian |
| zig | ghcr.io/bare-devcontainer/zig |
Zig toolchain on Debian |
See the individual image directories for more details on each image, including available tags and usage instructions.
Tip
Pinning images to a specific digest (e.g. image:tag@sha256:...) is strongly recommended. You can find the digest for a published image on the GitHub Container Registry page, or by running:
docker buildx imagetools inspect ghcr.io/bare-devcontainer/<image>:<tag>The quickest way to get started is to use one of the pre-built templates from the bare-devcontainer/templates repository. These templates provide ready-to-use Dev Container configurations for available images.
Reference an image directly in .devcontainer/devcontainer.json:
{
"image": "ghcr.io/bare-devcontainer/debian:trixie@sha256:<digest>"
}Create a Dockerfile that extends one of the images, then reference it from .devcontainer/devcontainer.json:
FROM ghcr.io/bare-devcontainer/rust:1@sha256:<digest>
# Add your project-specific setup here
RUN cargo install cargo-watch{
"build": {
"dockerfile": "Dockerfile"
}
}Create a compose.yml that references the image, then reference it from .devcontainer/devcontainer.json:
services:
app:
image: ghcr.io/bare-devcontainer/golang:1.26@sha256:<digest>
volumes:
- ..:/workspaces
command: sleep infinity{
"dockerComposeFile": "compose.yml",
"service": "app",
"workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}"
}Before using an image, you can confirm its authenticity and audit its contents using the artifacts published alongside each image. The GitHub artifact attestation lets you verify that the image was built by the official pipeline and has not been tampered with. The build provenance and SBOM embedded in the OCI manifest let you inspect where and how the image was built, and what packages it contains.
All published images include artifact attestations generated by the build pipeline using actions/attest. You can verify an image using the gh attestation verify command:
gh attestation verify oci://ghcr.io/bare-devcontainer/<image>:<tag>@sha256:<digest> \
--owner bare-devcontainerFor example:
gh attestation verify oci://ghcr.io/bare-devcontainer/golang:1.26@sha256:<digest> \
--owner bare-devcontainerA successful verification confirms that the image was built by the official GitHub Actions workflow in this repository and has not been tampered with.
Each image also includes a SLSA provenance attestation embedded in the OCI manifest, generated by Docker Buildx. You can inspect it with:
docker buildx imagetools inspect ghcr.io/bare-devcontainer/<image>:<tag>@sha256:<digest> \
--format '{{json .Provenance}}'A Software Bill of Materials (SBOM) in SPDX format is embedded in the OCI manifest for each image. You can inspect it with:
docker buildx imagetools inspect ghcr.io/bare-devcontainer/<image>:<tag>@sha256:<digest> \
--format '{{json .SBOM}}'