Architecture
Understand the Minimus pipeline for building secure packages and images
Minimus builds its images directly from source and manages its own internal CI/CD pipelines.
The Minimus build pipeline
Minimus monitors all upstream projects to detect updates on a continuous basis. The pipeline involves standardized build processes and automated workflows as follows:
- MinimOS continuously monitors the open source projects and triggers a new package build every time there is a new update in the upstream. Every new package build receives a new package version.
- Minimus builds images once a day from the most recent package versions. This ensures that new updates and vulnerability fixes are delivered daily.
- New image builds do not necessarily receive a new image version. The image version only changes if the primary package is updated (i.e. the package that defines the image, for example
mysqlfor the MySQL image andelasticsearchfor the Elasticsearch image).
Otherwise, the image version will remain the same, but Minimus publishes a new image digest and new unique timestamp tag which are shown in the image version card. About the Minimus unique timestamp tag and digest history - The daily image build is skipped if no package updates are available.
- Image builds take into account package version constraints.
- New image builds do not necessarily receive a new image version. The image version only changes if the primary package is updated (i.e. the package that defines the image, for example
- Minimus signs images and their SBOMs and publishes them to the Minimus registry. As a user, you can verify Minimus images and SBOMs. Verifying images
- Minimus continuously scans all of its packages and image versions for new vulnerabilities and delivers updated current vulnerability reports for all of its images, across all available versions, as explained below.
The Minimus advisory pipeline
Publishing package advisories
Minimus scans all of its packages for vulnerabilities every few hours. Every time a new vulnerability is detected, the vulnerability advisory is published to the Minimus advisory list and initiates the Minimus review process. About advisories
Publishing image vulnerability reports
Minimus offers an up-to-date vulnerability report for every image version in its registry. The vulnerability report for every image version is based on the SBOM and package vulnerability scans and is updated several times a day. About vulnerability reports
Minimus software supply chain security
The Minimus build environment adheres to software supply chain security practices including:
- CI/CD hardening - Minimus uses a secure build pipeline with strict access controls so all packages and images are built in a protected, trustworthy environment.
- Provenance tracking - Minimus verifies the source and authenticity of open source code used in its pipeline.
Beyond the Minimus Registry
- The user-friendly Minimus Console is your primary gateway to the Minimus Registry. Use the console to navigate the gallery of images, understand which versions are available, and learn about any new relevant threat intel and updates. About the image gallery
- You can configure Minimus actions for the registry to push alerts using dedicated webhooks. About actions
- You can also mirror images in your Minimus subscription to your private registry. About self-hosting