DirectorySecurity AdvisoriesPricing
Sign in
Directory
unleash-proxy-fips logoFIPS

unleash-proxy-fips

packaged by Chainguard

Last changed
Request a free trial

Contact our team to test out this image for free. Please also indicate any other images you would like to evaluate.

Tags
Overview
Comparison
Provenance
Specifications
SBOM
Vulnerabilities
Advisories

Chainguard Container for unleash-proxy-fips

Stateless HTTP proxy that evaluates Unleash feature flags for client-side SDKs

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/unleash-proxy-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility Notes

The Chainguard unleash-proxy-fips image is a minimal, drop-in replacement for the upstream unleashorg/unleash-proxy container image and is compatible with the official Unleash Proxy Helm chart. The proxy listens on port 3000 and runs as the non-root node user (UID 1000). Switching to this image should not require any changes to your existing deployment configuration.

FIPS Support

This Chainguard Container ships with a validated redistribution of OpenSSL's FIPS provider module, and the bundled Node.js runtime runs with FIPS mode enforced. For more on FIPS support in Chainguard Images, consult the guide on FIPS-enabled Chainguard Containers on Chainguard Academy.

Getting Started

The proxy is configured entirely through environment variables. At a minimum it needs the URL of your Unleash server, a server-side API token, and one or more client keys that downstream SDKs present to the proxy:

docker run -d -p 3000:3000 \
  -e UNLEASH_URL=https://app.unleash-hosted.com/demo/api/ \
  -e UNLEASH_API_TOKEN=<your-server-api-token> \
  -e UNLEASH_PROXY_CLIENT_KEYS=<your-proxy-client-key> \
  cgr.dev/ORGANIZATION/unleash-proxy-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Once it has synced from the backend, the proxy reports healthy and serves toggle evaluations to clients that present a configured client key:

curl http://localhost:3000/proxy/health
curl -H "Authorization: <your-proxy-client-key>" http://localhost:3000/proxy

To deploy on Kubernetes, install the official chart with the image and connection settings overridden in a values.yaml file:

image:
  repository: cgr.dev/ORGANIZATION/unleash-proxy-fips
  tag: latest
proxy:
  serverHost: https://app.unleash-hosted.com/demo/api/
  apiToken: <your-server-api-token>
  clientKeys:
    - <your-proxy-client-key>
helm repo add unleash https://unleash.github.io/helm-charts
helm repo update
helm install my-unleash-proxy unleash/unleash-proxy -f values.yaml

Self-hosting the full stack

The proxy, the Unleash server it syncs from, and the PostgreSQL database that backs the server are all available as Chainguard Containers. The following Docker Compose example wires them together:

services:
  db:
    image: cgr.dev/ORGANIZATION/postgres:latest
    environment:
      POSTGRES_USER: unleash
      POSTGRES_PASSWORD: unleash
      POSTGRES_DB: unleash

  unleash-server:
    image: cgr.dev/ORGANIZATION/unleash-server:latest
    depends_on:
      - db
    environment:
      DATABASE_URL: postgres://unleash:unleash@db:5432/unleash
      DATABASE_SSL: "false"
      INIT_BACKEND_API_TOKENS: default:development.unleash-insecure-api-token
    ports:
      - "4242:4242"

  unleash-proxy:
    image: cgr.dev/ORGANIZATION/unleash-proxy-fips:latest
    depends_on:
      - unleash-server
    environment:
      UNLEASH_URL: http://unleash-server:4242/api
      UNLEASH_API_TOKEN: default:development.unleash-insecure-api-token
      UNLEASH_PROXY_CLIENT_KEYS: <your-proxy-client-key>
    ports:
      - "3000:3000"

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry. The seeded API token is for local evaluation only; issue a real server-side token for any non-throwaway deployment.

Documentation and Resources

What are Chainguard Containers?

Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.

All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.

In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.

Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.

Need additional packages?

To improve security, Chainguard Containers include only essential dependencies. Need more packages? Chainguard customers can use Custom Assembly to add packages, either through the Console, chainctl, or API.

To use Custom Assembly in the Chainguard Console: navigate to the image you'd like to customize in your Organization's list of images, and click on the Customize image button at the top of the page.

Learn More

Refer to our Chainguard Containers documentation on Chainguard Academy. Chainguard also offers VMs and Librariescontact us for access.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.

Licenses

Chainguard's container images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" tag of this image:

  • Apache-2.0

  • GCC-exception-3.1

  • GPL-2.0-only

  • GPL-2.0-or-later

  • GPL-3.0-or-later

  • ISC

  • LGPL-2.1-or-later

For a complete list of licenses, please refer to this Image's SBOM.

Software license agreement
Compliance

Chainguard Containers are SLSA Level 3 compliant with detailed metadata and documentation about how it was built. We generate build provenance and a Software Bill of Materials (SBOM) for each release, with complete visibility into the software supply chain.

SLSA compliance at Chainguard

This image helps reduce time and effort in establishing PCI DSS 4.0 compliance with low-to-no CVEs.

PCI DSS at Chainguard

This is a FIPS validated image for FedRAMP compliance.

This image is STIG hardened and scanned against the DISA General Purpose Operating System SRG with reports available.

Learn more about STIGsGet started with STIGs
Related images
unleash-proxy logo

unleash-proxy

Category
FIPS
STIG

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.