Asking the very obvious question (as it's not apparent from the website): Why would I use this over DHI (Docker Hardened Images) or Chainguard Images, both of which also have a set of free hardened images?
1. These are all >1200 of our images, including FIPS, and all versions… others gate many of their images
2. These are all built continuously from upstream source on a distroless base… this makes a significant difference in attack surface and CVE count re DHI images and you can easily check our word with a few scans
3. These are truly free… no auth wall, no signup, no trial, no limit on numbers of images or pulls or anything like that
4. We have really invested in making these agent ready… we have a CLI (minicli) designed for both humans and agents to easily discover, understand, migrate to, and build on them… for example, check out the AI migration prompts we provide for each image, we’ve refined these across many customer deployments such that you can copy paste into your agent of choice, point it at a Dockerfile and have it do all / nearly all the work to move to these images
Currently, yes free as in beer. We build every component directly from source in a SLSA 3 environment we run (mostly in GCP). Making the Dockerfiles available is a fair question, not something we’ve done thus far because it’s not particularly useful if you don’t have all the infrastructure building the components.
Do you have particular scenarios you’d like the Dockerfiles for or is it just for transparency/ trust (which is a totally valid reason of course)?
> Do you have particular scenarios you’d like the Dockerfiles for or is it just for transparency/ trust (which is a totally valid reason of course)?
The latter. You or an attacker could tamper with the images - however even with the Dockerfiles I can't be sure that the provided images are built from the Dockerfiles, so in the end I'd have to trust you anyway. Also I'd be curious how you build the images.
This is our new Community Edition, which are all the exact same images as the Enterprise Edition product customers around the world already use, just without all the other features like image creator, self hosting, integrations, SSO, etc. Click the discover Enterprise Edition button on lower left and you can see a quick comparison table or go to minimus.io to see all the details.
EE also includes contractually backed CVE remediation and support SLAs. If you’d like to try EE and get pricing details, we’d be happy to help! Just click the button on the lower left to get started.
Just a little bit of feedback: some items on the main page are duplicated, which could be confusing. For example, "nginx-advanced" appears as updated both 3 days ago and 2 hours ago.
One of those is the image, one is a Helm chart using that image. The chart has an label and icon for chart but obviously we need to make this clearer :)
Asking the very obvious question (as it's not apparent from the website): Why would I use this over DHI (Docker Hardened Images) or Chainguard Images, both of which also have a set of free hardened images?
1. These are all >1200 of our images, including FIPS, and all versions… others gate many of their images
2. These are all built continuously from upstream source on a distroless base… this makes a significant difference in attack surface and CVE count re DHI images and you can easily check our word with a few scans
3. These are truly free… no auth wall, no signup, no trial, no limit on numbers of images or pulls or anything like that
4. We have really invested in making these agent ready… we have a CLI (minicli) designed for both humans and agents to easily discover, understand, migrate to, and build on them… for example, check out the AI migration prompts we provide for each image, we’ve refined these across many customer deployments such that you can copy paste into your agent of choice, point it at a Dockerfile and have it do all / nearly all the work to move to these images
The question was "why over DHI?"
1 and 2 are not a reason
3. no X, no Y, also not a reason
4. `rg agents`. Right
Agreed. Also on front page the nginx container is 6 days old, so no daily builds
We build anytime any component within an image has a new upstream version. If there’s no new upstream versions, no reason to build.
Check out the changelog tab in each image listing and you can see exactly when and why we build each time
Where are these built? Can I see the Dockerfiles? How are they licensed? I get that they are free as in beer, but not libre/FLOSS?
Currently, yes free as in beer. We build every component directly from source in a SLSA 3 environment we run (mostly in GCP). Making the Dockerfiles available is a fair question, not something we’ve done thus far because it’s not particularly useful if you don’t have all the infrastructure building the components.
Do you have particular scenarios you’d like the Dockerfiles for or is it just for transparency/ trust (which is a totally valid reason of course)?
> Do you have particular scenarios you’d like the Dockerfiles for or is it just for transparency/ trust (which is a totally valid reason of course)?
The latter. You or an attacker could tamper with the images - however even with the Dockerfiles I can't be sure that the provided images are built from the Dockerfiles, so in the end I'd have to trust you anyway. Also I'd be curious how you build the images.
Thanks for your answer!
The free tiers always go away, after they're deep in our infra. I would prefer to price it from the start.
We would be happy to sell it to you today! :)
This is our new Community Edition, which are all the exact same images as the Enterprise Edition product customers around the world already use, just without all the other features like image creator, self hosting, integrations, SSO, etc. Click the discover Enterprise Edition button on lower left and you can see a quick comparison table or go to minimus.io to see all the details.
EE also includes contractually backed CVE remediation and support SLAs. If you’d like to try EE and get pricing details, we’d be happy to help! Just click the button on the lower left to get started.
John here (CTO and Co-Founder)… we’d be happy to answer any questions anyone has!
Just a little bit of feedback: some items on the main page are duplicated, which could be confusing. For example, "nginx-advanced" appears as updated both 3 days ago and 2 hours ago.
One of those is the image, one is a Helm chart using that image. The chart has an label and icon for chart but obviously we need to make this clearer :)
Thanks for the feedback!
Any plans to add IPv6 support? NAT GW are costly and docker hub has full support.
currently reg.mini.dev does not have AAAA records. Did not check the blob storage endpoints.
Certainly something we can add, just not something any customers have wanted thus far.
reg.mini.dev is really a front end to Google Artifact Registry which already supports v6. I opened an issue for our devops team to enable it for us.
Thanks for the feedback!
Is their ingress-nginx-controller image similar to that of Chainguard: a drop-in replacement with the CVEs fixed?
noice!