Do you hate insecure base images? Sure, we all do..

I built a thing: secure-base-images. It’s a minimal, security-hardened Docker base image for static Go binaries.

Issue

Most Docker images are bloated. They include shells, package managers, and a ton of dependencies you don’t need. This creates a huge attack surface that your security team loves to talk about, and drives fast pipeline guys like me insane. For static Go tools, you literally just need the binary and some certs.

Solution

A distroless base image that gives you:

• Zero vulnerabilities - Automated Trivy security scanning catches CRITICAL/HIGH issues
• Minimal attack surface - No shell, no package manager, just your binary
• Non-root execution - Runs as uid 65532 by default
• Fast builds - Multi-platform support (amd64/arm64) via GitHub Actions
• Dead simple - 3 lines in ya Dockerfile

Usage

FROM swantron/secure-base:latest
COPY myapp /app
ENTRYPOINT ["/app"]

That’s it. Push a tag, GitHub Actions builds it, scans it with Trivy, and publishes to Docker Hub if it’s clean (it is.)

Under the Hood

The GitHub Actions workflow is doing the heavy lifting:

1. Runs integration tests (non-root user, no shell, CA certs present, etc.)
2. Builds the image
3. Scans with Trivy - build fails if vulnerabilities found
4. Multi-platform build (amd64/arm64)
5. Pushes to Docker Hub on release tags

It’s opinionated but in a good way. Security by default.

Get It

Source: https://github.com/swantron/secure-base-images

Docker Hub: swantron/secure-base:latest

The QUICKSTART.md gets you from zero to published in about 10 minutes.

I’ve been busy with tron swan dot com.

It’s still just hammering on stuff and learning, with a robot motif. The robot spins.

Reminder: the site is a playground, and is sort of stupid. It is also a nicely done React site with modern patterns and a legit pipeline. I run a bunch of health checks for other services.. there is a nice weather feature.. I use it to stream Spotify while I work. It is all over the place.

Here’s the source: https://github.com/swantron/tronswan

strain noodles: ❌
strain sun: ✅

40%-ish solar eclipse in Bozeman. Time to make crescents.

10 year-old provided jellybean feedback to 12 year-old..

Alex from Peloton likes to say something along the lines of “you don’t have to get ready if you stay ready.” Its pretty good advice.

Along those lines I decided to put together a react app to stay fresh. I’ve been hammering on (gitlab) pipelines and api frameworks at work for most of the year.. time for a project.

It is live on tronswan.com

The goals were to:
- hit some APIs from react
- mess around and build some components
- implement playwright on a project
- write GH Actions to handle build / test / deploy
- POC CI/CD to DigialOcean

Pretty fun project.. I’m displaying weather stuff and doing fizzbuzz via a weird component. Full CI/CD. Take a look if you’re bored.

https://github.com/swantron/tronswan

➜  ~ curl -s https://api.openweathermap.org/geo/1.0/direct\?q\=Bozeman\&limit\=5\&appid\=$WEATHER_API_KEY | jq .
[
  {
    "name": "Bozeman",
    "local_names": {
      "en": "Bozeman",
      "ru": "Бозмен"
    },
    "lat": 45.6794293,
    "lon": -111.044047,
    "country": "US",
    "state": "Montana"
  }
]
➜  ~ curl -s https://api.openweathermap.org/data/2.5/weather\?lat\=45.67\&lon\=-111.04\&appid\=$WEATHER_API_KEY\&units\=imperial | jq .main
{
  "temp": -18.99,
  "feels_like": -31.59,
  "temp_min": -21.44,
  "temp_max": -15.3,
  "pressure": 1022,
  "humidity": 71
}

1/19/2023 - Bozeman gets Verizon 5G

It is both fast and several years late.

I mentioned in the previous post that the lightening picture would possibly look nice on a canvas, or
“It would, without any doubt, look fucking awesome on a sleeveless shirt if I crop out the neighbors’ houses.”

Here’s the crop..

.. go nuts.

I don’t think there’s a contest, but here’s my entry.

Cellphones are pretty amazing.. that pic was taken through glass via Google Night Sight. The camera operator basically just has to aim at an area and keep the device still for a minute or so. Crazy storm, crazy technology. I would say something like ’the future is here, but the skies are angry’, but that that would sound very stupid.

I don’t know.. the picture might look pretty awesome on a canvas. It would, without any doubt, look fucking awesome on a sleeveless shirt if I crop out the neighbors’ houses.