StageX Container Images
Overview
StageX provides minimal, reproducible, zero-trust container base images for the IPCEI-CIS Edge Developer Platform. Built from source using the StageX upstream methodology, these images contain no package manager and compose dependencies exclusively via the COPY --from= OCI pattern.
Repository: edp.buildth.ing/DevFW-CICD/stagex
Key Properties
- Zero-trust — no package manager, no shell in production images, minimal attack surface
- Reproducible — all images pinned by sha256 digest;
SOURCE_DATE_EPOCHensures deterministic timestamps - Minimal — musl libc, LLVM/Clang toolchain; base image is 45.7MB
- Signed — cosign signing with Kyverno N-of-M policy verification
- Scanned — Trivy + Grype vulnerability scanning in CI; 0 CVEs at build time
- Efficient — 100% layer efficiency, 0 wasted bytes; 37% smaller Forgejo Runner image achieved
Available Images
All images are published to the EDP container registry:
| Image | Description | Size |
|---|---|---|
stagex-base | Minimal base image (musl, coreutils) | 45.7 MB |
stagex-base-go | Go runtime (base + Go toolchain) | 4.86 MB runtime |
stagex-base-nodejs | Node.js runtime | — |
stagex-base-python | Python runtime | — |
stagex-base-rust | Rust runtime | — |
stagex-base-java | Java runtime | — |
stagex-base-ruby | Ruby runtime | — |
stagex-base-static | Static binary base (no libc) | — |
Registry path: edp.buildth.ing/devfw-cicd/stagex-{base,base-go,base-nodejs,base-python,base-rust,base-java,base-ruby,base-static}
Build Methodology
StageX images are composed without a package manager. Dependencies are layered using the OCI COPY --from= pattern:
FROM stagex/core-busybox AS busybox
FROM stagex/core-musl AS musl
FROM stagex/core-openssl AS openssl
FROM scratch
COPY --from=musl / /
COPY --from=openssl / /
COPY --from=busybox / /
All upstream StageX packages are built from source with:
- musl libc (not glibc)
- LLVM/Clang toolchain
- PGP quorum signing for upstream package verification
CI Pipeline
The build pipeline (.forgejo/workflows/build-sign.yaml) performs:
- Build — multi-stage Docker build with
SOURCE_DATE_EPOCHfor reproducibility - Sign — cosign keyless signing attached to the image manifest
- Scan — Trivy and Grype vulnerability scanning
- Push — publish to the EDP registry with digest pinning
Supply Chain Verification
Cosign Signing
All images are signed using cosign. Verification:
cosign verify --key cosign.pub edp.buildth.ing/devfw-cicd/stagex-base:latest
Kyverno Policy
A Kyverno ClusterPolicy enforces N-of-M signature verification at admission time, ensuring only properly signed images are deployed to the cluster.
Requirements
- Docker v25+ with containerd image store enabled (required for reproducible builds)
- amd64 architecture (arm64 designed for but pending upstream support)
Completed Work
| Story | Description |
|---|---|
| Evaluate StageX | Assessed upstream StageX for IPCEI-CIS suitability |
| Reproducible multi-arch | Reproducible build pipeline (amd64; arm64 pending) |
| Language images | Go, Node.js, Python, Rust, Java, Ruby runtimes |
| Signing & provenance | Cosign signing + Kyverno verification |
| SBOM & scanning | Trivy + Grype integration, SBOM generation |
| Reference tool | Reference application demonstrating StageX usage |
| Documentation | This documentation page |