Minimus monitors all upstream projects to detect updates on a continuous basis. The pipeline involves standardized build processes and automated workflows as follows:
MinimOS continuously monitors the open source projects and triggers a new package build every time there is a new update in the upstream. Every new package build receives a new package version.
Minimus builds images once a day from the most recent package versions. This ensures that new updates and vulnerability fixes are delivered daily.
New image builds do not necessarily receive a new image version. The image version only changes if the primary package is updated (i.e. the package that defines the image, for example mysql for the MySQL image and elasticsearch for the Elasticsearch image).
Otherwise, the image version will remain the same, but Minimus publishes a new image digest and new unique timestamp tag which are shown in the image version card. About the Minimus unique timestamp tag and digest history
The daily image build is skipped if no package updates are available.
Image builds take into account package version constraints.
Minimus signs images and their SBOMs and publishes them to the Minimus registry. As a user, you can verify Minimus images and SBOMs. Verifying images
Minimus continuously scans all of its packages and image versions for new vulnerabilities and delivers updated current vulnerability reports for all of its images, across all available versions, as explained below.
Minimus performs testing at several checkpoints during the build pipeline to ensure build integrity. Initial testing is performed during package building to test every package after every build. Images are tested and validated following every build. A daily image build and validation cycle is triggered following any change to either the configuration files or any of the included packages.Minimus image testing is designed to ensure build integrity testing, runtime correctness, and Kubernetes readiness. Extensive unit testing is performed to ensure that the image behaves as expected before it is published to the Minimus registry. Tests are fully automated and run in a controlled environment to check that required packages are present, entrypoint behavior is as expected, environment variables and file permissions are correctly set, relevant ports are listening and/or exposed, etc.
Images from the Data, Dev, and Base categories that are not expected to be run in Kubernetes undergo testing using Docker Compose and a Python TestClient for testing Python web app endpoints directly in code without starting a web server. A Python runner is used to iterate on tested images and replace a version variable with all available version tags in a docker.file or directly in Docker Compose. Testing also covers multi architecture compatibility to ensure that the images can be run in both amd64 and arm64 environments.
For images expected to be deployed with Kubernetes and Helm charts, additional testing procedures are put in place. Tests are automated within the CI/CD pipeline so that any changes to the image trigger validation to provide fast feedback and prevent regressions.Images expected to be deployed in Kubernetes are tested in Kubernetes using a python setup tool that configures the cluster and installs necessary services and/or images using Helm where applicable. Testing is performed with Bash and/or Python to test service functionality by running tasks in the cluster.
Minimus scans all of its packages for vulnerabilities every few hours. Every time a new vulnerability is detected, the vulnerability advisory is published to the Minimus advisory list and initiates the Minimus review process. About advisories
Minimus offers an up-to-date vulnerability report for every image version in its registry. The vulnerability report for every image version is based on the SBOM and package vulnerability scans and is updated several times a day. About vulnerability reports
The Minimus build environment adheres to software supply chain security practices including:
CI/CD hardening - Minimus uses a secure build pipeline with strict access controls so all packages and images are built in a protected, trustworthy environment.
Provenance tracking - Minimus verifies the source and authenticity of open source code used in its pipeline.
The user-friendly Minimus Console is your primary gateway to the Minimus Registry. Use the console to navigate the gallery of images, understand which versions are available, and learn about any new relevant threat intel and updates. About the image gallery
You can configure Minimus actions for the registry to push alerts using dedicated webhooks. About actions
You can also mirror images in your Minimus subscription to your private registry. About self-hosting
