Available Images, Tags, and Variants

CleanStart maintains 1,200+ hardened container images spanning languages, databases, web servers, AI/ML frameworks, and infrastructure tools. All images are security-scanned, FIPS-ready, and include attestations. The image catalog structure is organized by category, with each category containing multiple variants tailored to different use cases.

The CleanStart Image Catalog contains 1,200+ images organized into six categories: Language Runtimes (python, node, golang, rust, ruby, java, php, dotnet), Databases (PostgreSQL, MySQL, MariaDB, MongoDB, Redis, Elasticsearch, Cassandra), Web Servers (nginx, apache, caddy, haproxy), AI/ML Frameworks (PyTorch, TensorFlow, transformers, xgboost), Infrastructure DevOps (docker, kubectl, helm, istio, terraform, ansible, prometheus, grafana, jaeger, loki), and Base Images (distroless, alpine, ubuntu, debian).

Each image category offers multiple variants: -prod (minimal production image), -dev (with development tools), -debug (debugging tools), and -alpine (ultra-slim variant).

Image Naming

Image naming follows the pattern gcr.io/cleanstart-images/[CATEGORY]/[NAME]:[VERSION]-[VARIANT] where variants include -prod (minimal), -dev (with tools), and -debug (debugging).

Language Runtimes

Node.js

CleanStart provides node:20-prod, node:20-dev, node:20-alpine-prod, python:3.12-prod, python:3.12-slim, python:3.12-dev, golang:1.22-prod, rust:1.72-prod, ruby:3.2-prod, java:21-prod, php:8.2-prod, and dotnet:7-prod.

Features

All language runtime images include zero vulnerabilities through security scanning, FIPS 140-3 readiness, non-root user default, read-only root filesystem, and Cosign-signed images with SBOM attestations.

Databases

PostgreSQL/MySQL

CleanStart provides postgres:16-prod and postgres:16-dev (with PostGIS), mysql:8.0-prod, mariadb:11.0-prod, mongodb:7.0-prod, redis:7.2-prod, elasticsearch:8-prod, and cassandra:4-prod.

Web Servers

Nginx/Apache

CleanStart provides nginx:1.25-prod, nginx:1.25-dev, nginx:1.25-debug, apache:2.4-prod, caddy:2-prod, and haproxy:2-prod.

Development variants include curl, dig, tcpdump, and strace.

AI/ML Frameworks

PyTorch/TensorFlow

CleanStart provides pytorch-cpu:2.1-prod, pytorch-gpu:2.1-prod, tensorflow:2.14-prod, tensorflow-serving:2.14-prod, transformers:latest-prod, xgboost:2.0-prod, huggingface-hub:latest-prod, and onnx-runtime:1.16-prod.

Infrastructure & DevOps

Container & K8s Tools

CleanStart provides docker:24-prod, kubernetes/kubectl:1.28-prod, helm:3.13-prod, istio-proxyv2:1.18-prod, terraform:1.6-prod, ansible:2.15-prod, prometheus:2.47-prod, grafana:10.2-prod, jaeger:1.49-prod, and loki:2.9-prod.

Base Images (Distroless)

Ultra-Minimal

CleanStart provides distroless/cc:latest (28MB for C/C++ apps), distroless/base:latest (20MB for static binaries), distroless/python3:latest (65MB for Python), distroless/nodejs20:latest (150MB for Node), and distroless/java:latest (280MB for Java).

General Purpose

CleanStart provides alpine:latest (7MB ultra-lightweight), busybox:latest (5MB minimal POSIX), ubuntu:22.04 (77MB full Ubuntu), and debian:bookworm (80MB standard Linux).

Architecture Support

All images are available for amd64, arm64, and arm/v7. Multi-arch pull automatically selects the correct architecture.

Security Features (All Images)

All CleanStart images are FIPS 140-3 ready with validated cryptography. They are signed and verified using Cosign signatures, include SPDX format attestations for the bill of materials, are security-scanned for zero vulnerabilities, run with non-root users by default, and have read-only root filesystems for mount point optimization.

Pulling Images

Public Images (No Auth Required)

You can pull public images using docker pull gcr.io/cleanstart-images/runtimes/python:3.12-prod or docker pull gcr.io/cleanstart-images/databases/postgres:16-prod.

With Authentication

You can login using docker login gcr.io then pull using docker pull gcr.io/cleanstart-images/custom/my-image:v1.

Verify Signature

You can verify signature using cosign verify --key cosign.pub gcr.io/cleanstart-images/runtimes/python:3.12-prod.

Image Metadata

All images include OCI labels such as org.opencontainers.image.title="Python 3.12", org.opencontainers.image.version="3.12.1", org.opencontainers.image.created="2024-01-15T10:00:00Z", and security.cleanstart/fips-ready="true", security.cleanstart/scan-timestamp="2024-01-15T10:30:00Z".

Searching Images

By Category

You can search by category using intelligence query packages --filter category=languages or intelligence query packages --filter category=databases.

By Name

You can search by name using curl "https://api.cleanstart.dev/v1/images/search?name=python" or curl "https://api.cleanstart.dev/v1/images/search?name=nodejs&version=20".

Versioning

Three tag types are provided: python:3.12.1-prod (specific patch that auto-updates patches), python:3.12-prod (minor version that is stable), and python:latest-prod (latest that auto-updates).

Image Updates

Updates follow a schedule: weekly for vulnerability updates, monthly for base OS updates, and quarterly for major version upgrades.

You can subscribe to updates using intelligence monitor --image-pattern 'gcr.io/cleanstart-images/*' --email security@company.com.

Common Workflows

Build with CleanStart Base

You can build using a CleanStart base image by specifying FROM gcr.io/cleanstart-images/runtimes/python:3.12-prod in your Dockerfile, setting WORKDIR /app, copying your application files, and defining CMD ["python", "app.py"].

Mirror to Private Registry

You can mirror to your private registry by pulling the image using docker pull gcr.io/cleanstart-images/runtimes/python:3.12-prod, tagging it using docker tag gcr.io/cleanstart-images/runtimes/python:3.12-prod my-registry/python:3.12-prod, and pushing it using docker push my-registry/python:3.12-prod.

Browser

Full interactive image browser is available at https://images.cleanstart.dev with features including search of 1,200+ images, filter by category/language/version, view vulnerabilities and attestations, check FIPS compliance, and download SBOMs.

Support

Catalog: https://images.cleanstart.dev, Docs: https://docs.cleanstart.dev/images, Issues: https://github.com/cleanstart/images/issues, and Email: images@cleanstart.dev.

Related Documentation

For AI and machine learning image specifications and configurations, see AI/ML Image Reference.