AWS Modernization with Snyk > Module 4: Harden with Chainguard > Step 10: Replace Base Image with Chainguard Equivalent

Step 10: Replace Base Image with Chainguard Equivalent

Recap on Images

First, let’s remind ourselves of the current vulnerability report for the thumbnailer image.

Return to the thumbnailer directory:

cd ../thumbnailer

And run the report:

snyk container test $REPO/thumbnailer --file=Dockerfile --exclude-app-vulns

This should show you something like:

...

Tested 429 dependencies for known issues, found 164 issues.

Base Image     Vulnerabilities  Severity
python:3.12.0  164              1 critical, 1 high, 5 medium, 157 low
...

And we can also check the size of the image:

docker images $REPO/thumbnailer:latest

Which should be similar to:

REPOSITORY                                                 TAG       IMAGE ID       CREATED             SIZE
145201137172.dkr.ecr.us-west-2.amazonaws.com/thumbnailer   latest    c3d3afba8bd9   About an hour ago   1.03GB

Changing to a Chainguard Base Image

Now let’s try changing the base image to a Chainguard one.

Double click on the Dockerfile under the thumbnailer directory in your Cloud9 IDE sidebar and change the start of the file from:

FROM python:3.12.0

To:

FROM cgr.dev/chainguard/python:latest-dev
USER root
RUN apk add imagemagick

Also change the CMD on the last line from:

CMD ["python3","webapp.py"]

To:

CMD ["webapp.py"]

💡 TIP

Dont forget to save the Dockerfile!

Viewing the Results

Now, rebuild the image:

docker build -t $REPO/thumbnailer .

… and let’s re-scan it:

snyk container test $REPO/thumbnailer --file=Dockerfile --exclude-app-vulns

The results should show a big reduction in vulnerabilities:

...
✔ Tested 67 dependencies for known issues, no vulnerable paths found.

Currently, we only offer base image recommendations for Official Docker images

The image size should also be significantly reduced. Try running:

docker images $REPO/thumbnailer

REPOSITORY                                                 TAG       IMAGE ID       CREATED              SIZE
145201137172.dkr.ecr.us-west-2.amazonaws.com/thumbnailer   latest    952b7d0abf76   About a minute ago   545MB
145201137172.dkr.ecr.us-west-2.amazonaws.com/thumbnailer   <none>    c3d3afba8bd9   2 hours ago          1.03GB
145201137172.dkr.ecr.us-west-2.amazonaws.com/thumbnailer   <none>    068e2a1bb86a   3 hours ago          941MB

The Chainguard image is around half the size of the previous version.

As before, you can push the image and deploy the application:

docker push $REPO/thumbnailer:latest

Followed by:

kubectl scale deployment thumbnailer --replicas=0
kubectl scale deployment thumbnailer --replicas=1

In this section, we’ve seen how a simple change to the base image for a Chainguard image can significantly reduce the reduces the number of vulnerabilities and the size of the image.

In the next section we’ll see how we can make the image more appropriate to use in a production setting.