Last changed
docker pull cgr.dev/chainguard/node
Need access to a specific tag? Contact us.
Integrate Chainguard into your developer workflows, manage your image versions to stay free of CVEs, and view critical SBOM and provenance details.
Sign upMinimal container image for running NodeJS apps
Chainguard Containers are regularly-updated, secure-by-default container images.
For those with access, this container image is available on cgr.dev
:
Be sure to replace the ORGANIZATION
placeholder with the name used for your organization's private repository within the Chainguard Registry.
Where possible, the Node Chainguard Image is built for compatibility with the Docker official image for Node.
The Node Chainguard Image runs as a nonroot user (node
) by default. A USER root
statement may be required before performing tasks requiring elevated permissions.
Note: This image uses a different entrypoint(/usr/bin/node
) than the official Node image.
Chainguard's node
container image comes in multiple variants, each designed for different user needs and operational requirements.
The standard node
variant provides a minimal container image that includes tools commonly needed for production use and compatibility, such as Node.js runtime and essential libraries. This is the default choice for most users, aimed at production deployments and smooth migration from external Node container images, but without unnecessary extras. The -dev
variant (also known as "Development" variant) adds extra utilities like a shell, package manager (e.g., apk), and debugging tools on top of the standard runtime. These are useful when building or troubleshooting applications inside the container, or when needing a familiar interactive environment with broad compatibility.
Importantly, Chainguard's node
container image also comes with a -slim
variant that is even more minimal than the standard variant and contains only the critical files necessary to run Node.js applications. As such, it doesn't include a shell, package manager, debuggers, or utility tools, meaning that the image's size and attack surface are kept as small as possible. -slim
variants are best suited for advanced users who want maximum security and smallest possible footprint. They're ideal for locked-down production environments or cases with strict compliance requirements, but users give up conveniences like shell access or running shell-based entrypoint scripts.
In this example, we'll write a .js
script that prints a message, then prints the message reversed. The script will use one dependency, the text-reverse
package. The script will optionally take one positional argument—if no argument is passed, a default message will be printed and reversed, otherwise the passed argument will be printed and reversed.
First, let's create a project structure for our example:
This creates the following folder structure and sets our working directory to the root node-reverse
folder:
Now let's create a package.json
file, which provides metadata about the project, including dependencies:
The above defines a package, linky_hello
, that depends on text-reverse
, and which whill run the code in bin/index.js
on npm run start
.
Let's create our application code now:
This application code first looks at any arguments passed to the script. If a positional argument is passed when the script is run, it will print that argument, then print its reverse. If no argument is passed, a default message will be printed and reversed.
Finally, let's create a Dockerfile
for our image build:
This Dockerfile
sets the file NODE_ENV
environment variable to production
, copies our package.json
and bin
directory, installs our dependency with npm install
, and runs our .js
script.
Build the image, tagging it node-reverse
:
Finally, run the container:
You should see the following output:
You can also pass an argument to the docker run node-reverse
command to change the output:
This should produce the following output:
In this example, we'll create an Express.js server that allows retrieval of a JSON-formatted list of animals and the addition of new animals via POST request.
First, create a folder for our example:
Create a package.json
file, which provides metadata about the project, including dependencies:
Next, add our server application code:
Finally, create a Dockerfile
for our image build:
Build the image:
Finally, run the server container:
You should see the following message:
Visit http://localhost:6069/animals to view the served JSON data.
You can post new data to the running application:
After posting, refresh the page on http://localhost:6069/animals to view the additional data.
Chainguard Containers are minimal container images that are secure by default.
In many cases, the Chainguard Containers tagged as :latest
contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.
The main features of Chainguard Containers include:
For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev
variant.
Although the -dev
container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev
variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.
To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.
In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.
This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.
Chainguard container images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" tag of this image:
Artistic-2.0
ISC
LGPL-2.1-or-later
MIT
MPL-2.0
For a complete list of licenses, please refer to this Image's SBOM.
Software license agreementA FIPS validated version of this image is available for FedRAMP compliance. STIG is included with FIPS image.