clearcutt-cc15 : distroless
Hardened tier — no shells, no coreutils, runtime only.
Advisory: This image is designated as experimental/development only and is strictly not allowed in production workloads.
Published Sat, 30 May 2026 17:13:43 GMT
Last Rebuilt Sat, 30 May 2026 17:13:43 GMT
About this Image & Usage
Explore container capabilities, common use cases, and complete integration blueprints.
Capabilities & Guarantees
This C/C++ distroless base provides a hardened OCI workspace with no shells. It is designed to host statically and dynamically compiled C/C++ binaries with a minimal runtime surface.
Common Use Cases
- Highly secure production hosting of pre-compiled C/C++ server nodes and daemons
- Edge deployments looking for minimal container footprint and current vulnerability evidence
- Executing compiled network filters and low-level controllers in hardened environments
Runtime Security & Execution Contract
Developer blueprints
Copy pre-configured code structures to accelerate deployment pipelines.
# Stage 1: Build the C/C++ application inside GCC dev builder
FROM ghcr.io/northcutted/clearcutt/clearcutt-cc15:v0.6.4-dev AS builder
WORKDIR /app
COPY CMakeLists.txt .
COPY src ./src
RUN cmake . && make
# Stage 2: Hardened runner stage (distroless or slim JRE/runtime)
FROM ghcr.io/northcutted/clearcutt/clearcutt-cc15:v0.6.4-distroless
WORKDIR /app
# Copy compiled executable
COPY --from=builder /app/bin/myapp ./myapp
# Run C/C++ application as secure non-root operator
USER 10001:10001
CMD ["./myapp"]
If your organization mandates a certified base OS (like Red Hat UBI, Amazon Linux, or Ubuntu Pro) for compliance, you can stack ClearCutt's RPATH-bound /nix/store closure directly on top without modifying base layers or bundled agents.
# Stage 1: Pull the ClearCutt secure runtime OCI image to extract its store
FROM ghcr.io/northcutted/clearcutt/clearcutt-cc15:v0.6.4-distroless AS clearcutt
# Stage 2: Graft the runtime onto your mandated base OS (Red Hat UBI, AL2023, Ubuntu)
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4
# Copy the immutable Nix store closure (leaves base OS layers and agents intact)
COPY --from=clearcutt /nix /nix
# Stabilize the runtime path behind /usr/local/bin so ENTRYPOINTs survive store bumps
RUN set -eux; \
runtime_bin="$(find /nix/store -maxdepth 3 -type f -path '*/bin/myapp' | head -n1)"; \
test -n "$runtime_bin"; \
ln -sf "$runtime_bin" /usr/local/bin/myapp; \
/usr/local/bin/myapp --version || /usr/local/bin/myapp -version || true
# Set workspace and run as ClearCutt's secure non-root user (UID 10001)
WORKDIR /app
COPY . .
USER 10001:10001
ENTRYPOINT ["/usr/local/bin/myapp"]# Run an interactive local dev shell with the exact same remediated GCC environment:
$ nix shell github:northcutted/clearcutt-images/v0.6.4#clearcuttCc15-native
# Or declare inside your local flake.nix:
{
inputs.clearcutt.url = "github:northcutted/clearcutt-images/v0.6.4";
outputs = { self, nixpkgs, clearcutt }: {
devShells.x86_64-linux.default = let
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [ clearcutt.overlays.default ];
};
in pkgs.mkShell {
buildInputs = [ pkgs.clearcuttCc15 ];
};
};
}# Build a C/C++ custom image declaratively by compiling via Nix and packaging
pkgs.dockerTools.buildImage {
name = "custom-cpp-daemon";
tag = "latest";
# Layer on top of ClearCutt's base
fromImage = clearcutt-base-image;
copyToRoot = pkgs.buildEnv {
name = "image-root";
paths = [
pkgs.zlib # Layer in extra dynamically-linked libraries
cpp-application # Pure C/C++ binary compiled declaratively via Nix
];
pathsToLink = [ "/bin" "/lib" ];
};
config = {
Cmd = [ "/bin/daemon" ];
User = "10001:10001";
};
}Pull & Run Workspace
Select your preferred container engine or deployment platform target.
Pull by multi-arch digest (Recommended, Secure)
docker pull ghcr.io/northcutted/clearcutt/clearcutt-cc15@sha256:93dcf1bd9068142cb108805c21295ebaef3438c2cf5af10e2c17c14086cafbd5Pinned to release
docker pull ghcr.io/northcutted/clearcutt/clearcutt-cc15:v0.6.4-distrolessQuick pull (rolling)
docker pull ghcr.io/northcutted/clearcutt/clearcutt-cc15:distrolessHardened docker run
docker run --rm \
--read-only \
--cap-drop=ALL \
--security-opt no-new-privileges \
--user 10001:10001 \
--tmpfs /tmp:mode=1777 \
ghcr.io/northcutted/clearcutt/clearcutt-cc15:v0.6.4-distrolessPull by multi-arch digest (Recommended, Secure)
podman pull ghcr.io/northcutted/clearcutt/clearcutt-cc15@sha256:93dcf1bd9068142cb108805c21295ebaef3438c2cf5af10e2c17c14086cafbd5Pinned to release
podman pull ghcr.io/northcutted/clearcutt/clearcutt-cc15:v0.6.4-distrolessQuick pull (rolling)
podman pull ghcr.io/northcutted/clearcutt/clearcutt-cc15:distrolessHardened podman run
podman run --rm \
--read-only \
--cap-drop=ALL \
--security-opt no-new-privileges \
--user 10001:10001 \
--tmpfs /tmp:mode=1777 \
ghcr.io/northcutted/clearcutt/clearcutt-cc15:v0.6.4-distrolessservices:
app:
image: ghcr.io/northcutted/clearcutt/clearcutt-cc15:v0.6.4-distroless
read_only: true
user: "10001:10001"
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
tmpfs:
- /tmp:mode=1777apiVersion: v1
kind: Pod
metadata:
name: clearcutt-cc15
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 10001
runAsGroup: 10001
seccompProfile: { type: RuntimeDefault }
containers:
- name: app
image: ghcr.io/northcutted/clearcutt/clearcutt-cc15:v0.6.4-distroless
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities: { drop: ["ALL"] }
volumeMounts:
- { name: tmp, mountPath: /tmp }
volumes:
- { name: tmp, emptyDir: { medium: Memory } }{
inputs.clearcutt.url = "github:northcutted/clearcutt/v0.6.4";
outputs = { self, nixpkgs, clearcutt }: {
devShells.x86_64-linux.default = let
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [ clearcutt.overlays.default ];
};
in pkgs.mkShell {
buildInputs = [ pkgs.clearcuttCc15 ];
};
};
}Verify & Audit Compliance
Inspect supply chain provenance, run local cryptographic OIDC audits, and review vulnerability gates.
Provenance & signatures
Cryptographically audit OCI identity claims and supply chain gating artifacts.
Cryptographic Proof
VERIFIED KEYLESSOIDC Certificate Subject
Supply Chain Provenance
SLSA LEVEL 3Compilation & Gates
GATES PASSEDAttestations
4 kinds of evidence for this image. The counts are how many times each was independently signed into the public transparency log — not how many distinct artifacts exist.
cosign verify-attestation. gh attestation verify. The subject above is the multi-arch index (amd64 + arm64). Each architecture's SBOM is attested separately, in both ecosystems — so one SBOM naturally appears as several signed records below. Records also accumulate as the image is rebuilt, with each release re-signing into the transparency log afresh. Every entry is independent and publicly verifiable: click any #index below to inspect it in Sigstore Rekor, or use the copy-paste commands below to verify them locally.
How and where the image was built — binds this digest to the exact workflow run, commit, and builder.
Software Bill of Materials — the full inventory of packages baked into the image.
Signed evidence that the release-gate test suite passed for this exact digest.
The keyless cosign signature statement covering the image index.
Active Verification Toolkit
Run local cryptographic OIDC audits and generate Kyverno cluster policies to enforce supply chain integrity.
Direct Cryptographic Evidence & Verification
https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main https://token.actions.githubusercontent.com sha256:93dcf1bd9068142cb108805c21295ebaef3438c2cf5af10e2c17c14086cafbd5 Run the native compiled Go CLI command locally to verify the registry digest, Sigstore signature, SBOM and test attestations, and SLSA provenance:
clearcutt verify release-evidence \
--ref ghcr.io/northcutted/clearcutt/clearcutt-cc15@sha256:93dcf1bd9068142cb108805c21295ebaef3438c2cf5af10e2c17c14086cafbd5 \
--repo northcutted/clearcutt \
--workflow-identity 'https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main'1. Inspect Security Metadata
Query deep, high-fidelity security metadata, dynamic entrypoints, non-root user settings, architectures, and release asset URLs.
clearcutt inspect cc15-distroless --tag v0.6.42. Local Policy Gate Verification
Enforce signatures, SBOMs, SLSA provenance, smoke tests, vulnerability limits, and lifecycle constraints locally or in CI pipelines.
clearcutt verify image cc15-distroless \
--tag v0.6.4 \
--require-production \
--require-signature \
--require-sbom \
--require-provenance \
--max-critical 0 \
--max-high 53. Runtime Conformance Audit
Verify runtime specifications offline, asserting timezone configurations, dynamic links, CA certificate paths, and rootless isolation boundaries.
clearcutt conformance run \
--expect-runtime cc4. Scaffold Nix Overlay Graft
Under strict corporate base OS mandates, generate a workspace scaffolding to graft this runtime overlay onto existing host layers.
clearcutt overlay generate \
--runtime cc15 \
--tier distroless \
--base registry.access.redhat.com/ubi9/ubi-minimal \
--output my-cc15-overlay/1. Verify Keyless OIDC Signature
Confirm this OCI image was built in your official release workflow and signed via keyless OIDC certificates.
cosign verify ghcr.io/northcutted/clearcutt/clearcutt-cc15@sha256:93dcf1bd9068142cb108805c21295ebaef3438c2cf5af10e2c17c14086cafbd5 \
--certificate-identity 'https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--output json2. Verify Cryptographic SBOM Attestation
Extract and cryptographically verify the compiled package software bill of materials statement.
cosign verify-attestation ghcr.io/northcutted/clearcutt/clearcutt-cc15@sha256:93dcf1bd9068142cb108805c21295ebaef3438c2cf5af10e2c17c14086cafbd5 \
--type spdxjson \
--certificate-identity 'https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
| jq '.payload | @base64d | fromjson | .predicate'slsa-verifier (SLSA Build L3)
Verify SLSA Build L3 provenance from the configured builder and source ref.
slsa-verifier verify-image ghcr.io/northcutted/clearcutt/clearcutt-cc15@sha256:93dcf1bd9068142cb108805c21295ebaef3438c2cf5af10e2c17c14086cafbd5 \
--source-uri 'github.com/northcutted/clearcutt' \
--source-branch 'main'GitHub Native Attestation
Audit standard GitHub OCI attestations natively using the GitHub CLI client.
gh attestation verify oci://ghcr.io/northcutted/clearcutt/clearcutt-cc15@sha256:93dcf1bd9068142cb108805c21295ebaef3438c2cf5af10e2c17c14086cafbd5 \
--repo northcutted/clearcutt \
--cert-identity 'https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main' \
--source-ref refs/heads/mainAdmission Control (Kyverno Policy)
Enforce keyless signature and cryptographic SBOM attestation checks in Kubernetes clusters dynamically.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-clearcutt-cc15
spec:
validationFailureAction: Enforce
webhookTimeoutSeconds: 30
rules:
- name: verify-cosign-signature
match:
any:
- resources:
kinds: [Pod]
verifyImages:
- imageReferences: ["ghcr.io/northcutted/clearcutt/clearcutt-cc15:*"]
attestors:
- entries:
- keyless:
subject: "https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
attestations:
- predicateType: "https://spdx.dev/Document"
attestors:
- entries:
- keyless:
subject: "https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
mutateDigest: true
verifyDigest: true
required: trueDeep-Dive & OCI Specifications
Analyze the full Nix store dependency closure, image layer architecture, and OCI configuration labels.
Software Bill of Materials
Every package included in the image's /nix/store
closure. Generated from the actual OCI archive at build time and attached as an SPDX SBOM,
using the same package inventory as the CVE findings above.
SBOM generated Sat, 30 May 2026 16:44:16 GMT. Toggle between architectures; the package set typically matches but layer hashes differ.
Layer explorer
Click any layer card in the cohesive OCI stack below to inspect its digest, size, packages, and vulnerability density.
No known vulnerabilities are introduced by the packages compiled in this specific Nix closure layer.
Image Specifications & Release Ledger
Inspect the static OCI container metadata labels and browse the immutable published release history for this image.
| Key | Value |
|---|---|
| org.opencontainers.image.authors | Eddie Northcutt |
| org.opencontainers.image.description | Hardened ClearCutt Base Image for cc (15) - Tier: distroless |
| org.opencontainers.image.licenses | Apache-2.0 |
| org.opencontainers.image.ref.name | distroless |
| org.opencontainers.image.source | https://github.com/northcutted/clearcutt |
| org.opencontainers.image.title | clearcutt-cc-15 |
| org.opencontainers.image.url | https://github.com/northcutted/clearcutt |
| org.opencontainers.image.vendor | Eddie Northcutt |
| org.opencontainers.image.version | 15 |
| Tag | Published | Archs | Packages | |
|---|---|---|---|---|
| v0.8.1 latest | Thu, 04 Jun 2026 00:36:30 GMT | amd64arm64 | 7 | .intoto.jsonl ↗ |
| v0.8.0 | Wed, 03 Jun 2026 01:16:58 GMT | amd64arm64 | 7 | .intoto.jsonl ↗ |
| v0.7.2 | Sun, 31 May 2026 16:32:29 GMT | amd64arm64 | 7 | .intoto.jsonl ↗ |
| v0.7.0 | Sun, 31 May 2026 00:59:17 GMT | amd64arm64 | 1 | .intoto.jsonl ↗ |
| v0.6.5 | Sat, 30 May 2026 19:24:38 GMT | amd64arm64 | 1 | .intoto.jsonl ↗ |
| v0.6.4 | Sat, 30 May 2026 17:13:43 GMT | amd64arm64 | 1 | .intoto.jsonl ↗ |
| v0.6.3 | Sat, 30 May 2026 16:09:42 GMT | amd64arm64 | 1 | .intoto.jsonl ↗ |
| v0.5.0 | Sat, 30 May 2026 03:49:37 GMT | amd64arm64 | 1 | .intoto.jsonl ↗ |
| v0.4.1 | Fri, 29 May 2026 23:48:33 GMT | amd64arm64 | 1 | .intoto.jsonl ↗ |
| v0.2.1 | Fri, 29 May 2026 13:44:59 GMT | amd64arm64 | 1 | .intoto.jsonl ↗ |