Last changed
Be the first to hear about exciting product updates, critical vulnerability alerts, compare alternative images, and more.
Sign UpContainer image for building Go applications with FIPS
Chainguard Containers are regularly-updated, secure-by-default container images.
For those with access, this container image is available on cgr.dev
:
Be sure to replace the ORGANIZATION
placeholder with the name used for your organization's private repository within the Chainguard Registry.
The 1.24 images have switched to use microsoft/go toolchain. There are a few difference compared to 1.23:
For a go toolchain without any access to any historical or unapproved algorithms please use go-msft-fips image instead.
There are further developments needed in 1.25 to consolidate the available go toolchains with OpenSSL support (with/without FIPS, with/without fallbacks).
This image provides a Go toolchain for producing FIPS compliant binaries. For this purpose, the image is compiled with [golang-fips/go (FIPS enabled Go using OpenSSL)]](https://github.com/golang-fips/go) patches applied. They are further enhanced to always default to FIPS mode, without ability to opt out.
Binaries built with this edition of go on Linux:
While Chainguard's edition of OpenSSL FIPS is recommended, the resulting binaries are vendor-agnostic and can be used at runtime with OpenSSL FIPS providers on other OpenSSL FIPS hosts.
FIPS compliance is achieved by not using any native golang cryptographic functionality and redirecting all calls to OpenSSL at runtime. Specifically the following modules are patched to redirect to the OpenSSL FIPS provider:
crypto
crypto/tls
golang.org/x/crypto
that use stock crypto
primitives onlyIf no other cryptographic algorithms are implemented or used, certification status will depend on the runtime OpenSSL FIPS certification. For Chainguard that is #4282.
Note that the crypto/md5
algorithm implementation is available for non-cryptographically secure use cases only. If your application uses crypto/md5
or any other third-party golang cryptographic modules, engage with a CST testing laboratory for additional audit and certification needs.
Where otherwise possible, the Go Chainguard Image is built for compatibility with the Docker official image for Golang. For a non-FIPS Go toolchain, see the go
Chainguard Image.
The go-fips
Chainguard Image uses the glibc
implementation of the C standard library, while the Alpine version of thegolang
official Docker Image uses musl
. See our article on glibc vs. musl on Chainguard Academy for an overview of the differences between these implementations.
Consider executing Go binaries from one of our FIPS-enabled runtime Chainguard Images, such as the glibc-openssl-fips Chainguard Image.
In Go 1.20, we default to using the new GODEBUG
settings of tarinsecurepath=0
and zipinsecurepath=0
. These can be disabled by clearing the GODEBUG
environment variable or by setting them to 1
. Learn more about these settings in the Go release notes.
Working with the go-fips
Chainguard Image has the following limitations:
-tags
, GOEXPERIMENT
, CGO_ENABLED
For more information on working with this Image, check out our Getting Started with the Go Chainguard Image guide on Chainguard Academy.
In this example, we'll build a test application and verify that the approved external cryptographic library and OpenSSL symbols are in use.
First, set your organization to an environment variable.
Run a container based on the go-fips
image interactively:
At the interactive prompt, install helloserver
, a Golang demo application :
You should see output like the following:
We can now check the toolchain flags used to build the binary we just created:
This produces the following output:
This indicates the binary was built with X:boringcrypto
experiment enabled as an indicator that FIPS is in use.
While the toolchain experiment is called boringcrypto
, the actual implementation uses OpenSSL. We can check this by outputting additional build settings:
This produces the following output:
For FIPS verification, check that:
build CGO_ENABLED=1
setting is in place.build GOEXPERIMENT=boringcrypto
setting is in place.You can also verify that OpenSSL symbols are used by the binary:
This produces the following output:
Note that golang-fips/openssl
contains bindings for all available APIs, even if individual binary may not use all of them.
Finally, let's verify that failing to use the allowed OpenSSL FIPS provider will prevent operation.
First, check the operation of the helloserver
binary:
You should see the following message:
Press Control-C
to stop the server.
Next, modify the module-mac
portion of the FIPS provider which will invalidate it:
Now attempt to re-run the application server:
You should receive the following error:
This shows that the helloserver
binary panics when OpenSSL FIPS fails integrity tests. Additionally, other software that uses OpenSSL will segfault e.g. apk update
.
You can restore the fipsmodule.cnf
file to return to an operational state:
The following build demonstrates an application that's accessible by HTTP server. The application renders a simple message that changes based on the URI. The example uses a multi-stage build, compiling a binary using the go-fips
Chainguard Image and copying it to the glibc-openssl-fips
Chainguard Image for execution.
First, create a project folder and change the working directory to that folder:
Next, run the following command to write a main.go
file defining our web application:
Next, run the following command to write a go.mod
file listing dependencies:
Write a Dockerfile
to define our image build. First, set your organization as an environment variable:
Use the following command to create the Dockerfile
:
This Dockerfile
uses a multi-stage build approach, compiling the application using the go
Chainguard Image, then copying the binary to the glibc-openssl-fips
Chainguard Image to serve.
Build the image, tagging it greet-server
:
Run the container:
Visit http://0.0.0.0:8080/ using a web browser on your host machine. You should see the following:
Changes to the URI will be routed to the application. Try visiting http://0.0.0.0:8080/Chainguard%20Customer. You should see the following output:
The application will also share version information at http://0.0.0.0:8080/version. We can see on that page that the binary has been compiled with boringcrypto
:
If you're building a web application with the go-fips
Chainguard Image, consider the nginx-fips Chainguard Image for use as a reverse proxy.
Chainguard Containers are minimal container images that are secure by default.
In many cases, the Chainguard Containers tagged as :latest
contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.
The main features of Chainguard Containers include:
For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev
variant.
Although the -dev
container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev
variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.
To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.
In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.
This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.
Chainguard container images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" tag of this image:
Apache-2.0
BSD-2-Clause
BSD-3-Clause
CC-BY-4.0
GCC-exception-3.1
GPL-2.0
GPL-2.0-only
For a complete list of licenses, please refer to this Image's SBOM.
Software license agreementThis is a FIPS validated image for FedRAMP compliance.
This image is STIG hardened and scanned against the DISA General Purpose Operating System SRG with reports available.
Learn more about STIGsGet started with STIGs