This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

StageX Container Images

Zero-trust reproducible container base images for the IPCEI-CIS platform.

    Overview

    StageX provides minimal, reproducible, zero-trust container base images for the IPCEI-CIS Edge Developer Platform. Built from source using the StageX upstream methodology, these images contain no package manager and compose dependencies exclusively via the COPY --from= OCI pattern.

    Repository: edp.buildth.ing/DevFW-CICD/stagex

    Key Properties

    • Zero-trust — no package manager, no shell in production images, minimal attack surface
    • Reproducible — all images pinned by sha256 digest; SOURCE_DATE_EPOCH ensures deterministic timestamps
    • Minimal — musl libc, LLVM/Clang toolchain; base image is 45.7MB
    • Signed — cosign signing with Kyverno N-of-M policy verification
    • Scanned — Trivy + Grype vulnerability scanning in CI; 0 CVEs at build time
    • Efficient — 100% layer efficiency, 0 wasted bytes; 37% smaller Forgejo Runner image achieved

    Available Images

    All images are published to the EDP container registry:

    ImageDescriptionSize
    stagex-baseMinimal base image (musl, coreutils)45.7 MB
    stagex-base-goGo runtime (base + Go toolchain)4.86 MB runtime
    stagex-base-nodejsNode.js runtime
    stagex-base-pythonPython runtime
    stagex-base-rustRust runtime
    stagex-base-javaJava runtime
    stagex-base-rubyRuby runtime
    stagex-base-staticStatic binary base (no libc)

    Registry path: edp.buildth.ing/devfw-cicd/stagex-{base,base-go,base-nodejs,base-python,base-rust,base-java,base-ruby,base-static}

    Build Methodology

    StageX images are composed without a package manager. Dependencies are layered using the OCI COPY --from= pattern:

    FROM stagex/core-busybox AS busybox
FROM stagex/core-musl AS musl
FROM stagex/core-openssl AS openssl

FROM scratch
COPY --from=musl / /
COPY --from=openssl / /
COPY --from=busybox / /

    All upstream StageX packages are built from source with:

    • musl libc (not glibc)
    • LLVM/Clang toolchain
    • PGP quorum signing for upstream package verification

    CI Pipeline

    The build pipeline (.forgejo/workflows/build-sign.yaml) performs:

    1. Build — multi-stage Docker build with SOURCE_DATE_EPOCH for reproducibility
    2. Sign — cosign keyless signing attached to the image manifest
    3. Scan — Trivy and Grype vulnerability scanning
    4. Push — publish to the EDP registry with digest pinning

    Supply Chain Verification

    Cosign Signing

    All images are signed using cosign. Verification:

    cosign verify --key cosign.pub edp.buildth.ing/devfw-cicd/stagex-base:latest

    Kyverno Policy

    A Kyverno ClusterPolicy enforces N-of-M signature verification at admission time, ensuring only properly signed images are deployed to the cluster.

    Requirements

    • Docker v25+ with containerd image store enabled (required for reproducible builds)
    • amd64 architecture (arm64 designed for but pending upstream support)

    Completed Work

    StoryDescription
    Evaluate StageXAssessed upstream StageX for IPCEI-CIS suitability
    Reproducible multi-archReproducible build pipeline (amd64; arm64 pending)
    Language imagesGo, Node.js, Python, Rust, Java, Ruby runtimes
    Signing & provenanceCosign signing + Kyverno verification
    SBOM & scanningTrivy + Grype integration, SBOM generation
    Reference toolReference application demonstrating StageX usage
    DocumentationThis documentation page