clearcutt-rust1.95 : slim
Runtime tier — language runtime plus minimal troubleshooting binaries.
Advisory: This image is designated as experimental/development only and is strictly not allowed in production workloads.
Published Fri, 29 May 2026 23:48:33 GMT
Last Rebuilt Fri, 29 May 2026 23:48:33 GMT
About this Image & Usage
Explore container capabilities, common use cases, and complete integration blueprints.
Capabilities & Guarantees
This Rust runtime image delivers standard system libraries and a restricted BusyBox shell, ideal for hosting pre-built Rust binaries that require limited terminal troubleshooting utilities.
Common Use Cases
- Hosting lightweight compiled Rust services requiring staging terminal log triggers
- Running network diagnostics or system utilities compiled natively in Rust
- Staging environments requiring active file system monitoring and shell utilities
Runtime Security & Execution Contract
Developer blueprints
Copy pre-configured code structures to accelerate deployment pipelines.
# Stage 1: Build optimized Rust binary in dev cargo compiler builder
FROM ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:v0.4.1-dev AS builder
WORKDIR /app
COPY Cargo.toml Cargo.lock ./
# Create dummy main to cache dependency compilation
RUN mkdir src && echo "fn main() {}" > src/main.rs && cargo build --release
COPY . .
RUN touch src/main.rs && cargo build --release
# Stage 2: Hardened runner stage (distroless or slim OCI runtime)
FROM ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:v0.4.1-slim
WORKDIR /app
# Copy compiled Rust executable
COPY --from=builder /app/target/release/myapp ./myapp
# Run Rust application as secure non-root operator
USER 10001:10001
CMD ["./myapp"]
If your organization mandates a certified base OS (like Red Hat UBI, Amazon Linux, or Ubuntu Pro) for compliance, you can stack ClearCutt's RPATH-bound /nix/store closure directly on top without modifying base layers or bundled agents.
# Stage 1: Pull the ClearCutt secure runtime OCI image to extract its store
FROM ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:v0.4.1-slim AS clearcutt
# Stage 2: Graft the runtime onto your mandated base OS (Red Hat UBI, AL2023, Ubuntu)
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4
# Copy the immutable Nix store closure (leaves base OS layers and agents intact)
COPY --from=clearcutt /nix /nix
# Stabilize the runtime path behind /usr/local/bin so ENTRYPOINTs survive store bumps
RUN set -eux; \
runtime_bin="$(find /nix/store -maxdepth 3 -type f -path '*/bin/myapp' | head -n1)"; \
test -n "$runtime_bin"; \
ln -sf "$runtime_bin" /usr/local/bin/myapp; \
/usr/local/bin/myapp --version || /usr/local/bin/myapp -version || true
# Set workspace and run as ClearCutt's secure non-root user (UID 10001)
WORKDIR /app
COPY . .
USER 10001:10001
ENTRYPOINT ["/usr/local/bin/myapp"]# Run an interactive local dev shell with the exact same remediated Rust compiler:
$ nix shell github:northcutted/clearcutt-images/v0.4.1#clearcuttRust195-native
# Or declare inside your local flake.nix:
{
inputs.clearcutt.url = "github:northcutted/clearcutt-images/v0.4.1";
outputs = { self, nixpkgs, clearcutt }: {
devShells.x86_64-linux.default = let
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [ clearcutt.overlays.default ];
};
in pkgs.mkShell {
buildInputs = [ pkgs.clearcuttRust195 ];
};
};
}# Build a Rust OCI container declaratively via Nix
pkgs.dockerTools.buildImage {
name = "custom-rust-app";
tag = "latest";
# Layer on top of ClearCutt's base
fromImage = clearcutt-base-image;
copyToRoot = pkgs.buildEnv {
name = "image-root";
paths = [
rust-compiled-binary # Highly optimized Rust package compiled cleanly
];
pathsToLink = [ "/bin" ];
};
config = {
Cmd = [ "/bin/rust-app" ];
User = "10001:10001";
};
}Pull & Run Workspace
Select your preferred container engine or deployment platform target.
Pull by multi-arch digest (Recommended, Secure)
docker pull ghcr.io/northcutted/clearcutt/clearcutt-rust1.95@sha256:78914a429ef718a0d33c82a4f299a43eda58a8f57552d2a60790f86ee9930c4aPinned to release
docker pull ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:v0.4.1-slimQuick pull (rolling)
docker pull ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:slimHardened docker run
docker run --rm \
--read-only \
--cap-drop=ALL \
--security-opt no-new-privileges \
--user 10001:10001 \
--tmpfs /tmp:mode=1777 \
ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:v0.4.1-slimPull by multi-arch digest (Recommended, Secure)
podman pull ghcr.io/northcutted/clearcutt/clearcutt-rust1.95@sha256:78914a429ef718a0d33c82a4f299a43eda58a8f57552d2a60790f86ee9930c4aPinned to release
podman pull ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:v0.4.1-slimQuick pull (rolling)
podman pull ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:slimHardened podman run
podman run --rm \
--read-only \
--cap-drop=ALL \
--security-opt no-new-privileges \
--user 10001:10001 \
--tmpfs /tmp:mode=1777 \
ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:v0.4.1-slimservices:
app:
image: ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:v0.4.1-slim
read_only: true
user: "10001:10001"
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
tmpfs:
- /tmp:mode=1777apiVersion: v1
kind: Pod
metadata:
name: clearcutt-rust1.95
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 10001
runAsGroup: 10001
seccompProfile: { type: RuntimeDefault }
containers:
- name: app
image: ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:v0.4.1-slim
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities: { drop: ["ALL"] }
volumeMounts:
- { name: tmp, mountPath: /tmp }
volumes:
- { name: tmp, emptyDir: { medium: Memory } }{
inputs.clearcutt.url = "github:northcutted/clearcutt/v0.4.1";
outputs = { self, nixpkgs, clearcutt }: {
devShells.x86_64-linux.default = let
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [ clearcutt.overlays.default ];
};
in pkgs.mkShell {
buildInputs = [ pkgs.clearcuttRust195 ];
};
};
}Verify & Audit Compliance
Inspect supply chain provenance, run local cryptographic OIDC audits, and review vulnerability gates.
Provenance & signatures
Cryptographically audit OCI identity claims and supply chain gating artifacts.
Cryptographic Proof
VERIFIED KEYLESSOIDC Certificate Subject
Supply Chain Provenance
SLSA LEVEL 3Compilation & Gates
GATES PASSEDAttestations
4 kinds of evidence for this image. The counts are how many times each was independently signed into the public transparency log — not how many distinct artifacts exist.
cosign verify-attestation. gh attestation verify. The subject above is the multi-arch index (amd64 + arm64). Each architecture's SBOM is attested separately, in both ecosystems — so one SBOM naturally appears as several signed records below. Records also accumulate as the image is rebuilt, with each release re-signing into the transparency log afresh. Every entry is independent and publicly verifiable: click any #index below to inspect it in Sigstore Rekor, or use the copy-paste commands below to verify them locally.
How and where the image was built — binds this digest to the exact workflow run, commit, and builder.
Software Bill of Materials — the full inventory of packages baked into the image.
Signed evidence that the release-gate test suite passed for this exact digest.
The keyless cosign signature statement covering the image index.
Active Verification Toolkit
Run local cryptographic OIDC audits and generate Kyverno cluster policies to enforce supply chain integrity.
Direct Cryptographic Evidence & Verification
https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main https://token.actions.githubusercontent.com sha256:78914a429ef718a0d33c82a4f299a43eda58a8f57552d2a60790f86ee9930c4a Run the native compiled Go CLI command locally to verify the registry digest, Sigstore signature, SBOM and test attestations, and SLSA provenance:
clearcutt verify release-evidence \
--ref ghcr.io/northcutted/clearcutt/clearcutt-rust1.95@sha256:78914a429ef718a0d33c82a4f299a43eda58a8f57552d2a60790f86ee9930c4a \
--repo northcutted/clearcutt \
--workflow-identity 'https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main'1. Inspect Security Metadata
Query deep, high-fidelity security metadata, dynamic entrypoints, non-root user settings, architectures, and release asset URLs.
clearcutt inspect rust1.95-slim --tag v0.4.12. Local Policy Gate Verification
Enforce signatures, SBOMs, SLSA provenance, smoke tests, vulnerability limits, and lifecycle constraints locally or in CI pipelines.
clearcutt verify image rust1.95-slim \
--tag v0.4.1 \
--require-production \
--require-signature \
--require-sbom \
--require-provenance \
--max-critical 0 \
--max-high 53. Runtime Conformance Audit
Verify runtime specifications offline, asserting timezone configurations, dynamic links, CA certificate paths, and rootless isolation boundaries.
clearcutt conformance run \
--expect-runtime rust4. Scaffold Nix Overlay Graft
Under strict corporate base OS mandates, generate a workspace scaffolding to graft this runtime overlay onto existing host layers.
clearcutt overlay generate \
--runtime rust1.95 \
--tier slim \
--base registry.access.redhat.com/ubi9/ubi-minimal \
--output my-rust1.95-overlay/1. Verify Keyless OIDC Signature
Confirm this OCI image was built in your official release workflow and signed via keyless OIDC certificates.
cosign verify ghcr.io/northcutted/clearcutt/clearcutt-rust1.95@sha256:78914a429ef718a0d33c82a4f299a43eda58a8f57552d2a60790f86ee9930c4a \
--certificate-identity 'https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--output json2. Verify Cryptographic SBOM Attestation
Extract and cryptographically verify the compiled package software bill of materials statement.
cosign verify-attestation ghcr.io/northcutted/clearcutt/clearcutt-rust1.95@sha256:78914a429ef718a0d33c82a4f299a43eda58a8f57552d2a60790f86ee9930c4a \
--type spdxjson \
--certificate-identity 'https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
| jq '.payload | @base64d | fromjson | .predicate'slsa-verifier (SLSA Build L3)
Verify SLSA Build L3 provenance from the configured builder and source ref.
slsa-verifier verify-image ghcr.io/northcutted/clearcutt/clearcutt-rust1.95@sha256:78914a429ef718a0d33c82a4f299a43eda58a8f57552d2a60790f86ee9930c4a \
--source-uri 'github.com/northcutted/clearcutt' \
--source-branch 'main'GitHub Native Attestation
Audit standard GitHub OCI attestations natively using the GitHub CLI client.
gh attestation verify oci://ghcr.io/northcutted/clearcutt/clearcutt-rust1.95@sha256:78914a429ef718a0d33c82a4f299a43eda58a8f57552d2a60790f86ee9930c4a \
--repo northcutted/clearcutt \
--cert-identity 'https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main' \
--source-ref refs/heads/mainAdmission Control (Kyverno Policy)
Enforce keyless signature and cryptographic SBOM attestation checks in Kubernetes clusters dynamically.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-clearcutt-rust1.95
spec:
validationFailureAction: Enforce
webhookTimeoutSeconds: 30
rules:
- name: verify-cosign-signature
match:
any:
- resources:
kinds: [Pod]
verifyImages:
- imageReferences: ["ghcr.io/northcutted/clearcutt/clearcutt-rust1.95:*"]
attestors:
- entries:
- keyless:
subject: "https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
attestations:
- predicateType: "https://spdx.dev/Document"
attestors:
- entries:
- keyless:
subject: "https://github.com/northcutted/clearcutt/.github/workflows/release.yml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
mutateDigest: true
verifyDigest: true
required: trueDeep-Dive & OCI Specifications
Analyze the full Nix store dependency closure, image layer architecture, and OCI configuration labels.
Software Bill of Materials
Every package included in the image's /nix/store
closure. Generated from the actual OCI archive at build time and attached as an SPDX SBOM,
using the same package inventory as the CVE findings above.
SBOM generated Fri, 29 May 2026 23:30:58 GMT. Toggle between architectures; the package set typically matches but layer hashes differ.
SBOM package ledger
Layer explorer
Click any layer card in the cohesive OCI stack below to inspect its digest, size, packages, and vulnerability density.
No known vulnerabilities are introduced by the packages compiled in this specific Nix closure layer.
Image Specifications & Release Ledger
Inspect the static OCI container metadata labels and browse the immutable published release history for this image.
| Key | Value |
|---|---|
| org.opencontainers.image.authors | Eddie Northcutt |
| org.opencontainers.image.description | Hardened ClearCutt Base Image for rust (1.95) - Tier: slim |
| org.opencontainers.image.licenses | Apache-2.0 |
| org.opencontainers.image.ref.name | slim |
| org.opencontainers.image.source | https://github.com/northcutted/clearcutt |
| org.opencontainers.image.title | clearcutt-rust-1.95 |
| org.opencontainers.image.url | https://github.com/northcutted/clearcutt |
| org.opencontainers.image.vendor | Eddie Northcutt |
| org.opencontainers.image.version | 1.95 |
| Tag | Published | Archs | Packages | |
|---|---|---|---|---|
| v0.8.1 latest | Thu, 04 Jun 2026 00:36:30 GMT | amd64arm64 | 13 | .intoto.jsonl ↗ |
| v0.8.0 | Wed, 03 Jun 2026 01:16:58 GMT | amd64arm64 | 13 | .intoto.jsonl ↗ |
| v0.7.2 | Sun, 31 May 2026 16:32:29 GMT | amd64arm64 | 13 | .intoto.jsonl ↗ |
| v0.7.0 | Sun, 31 May 2026 00:59:17 GMT | amd64arm64 | 11 | .intoto.jsonl ↗ |
| v0.6.5 | Sat, 30 May 2026 19:24:38 GMT | amd64arm64 | 11 | .intoto.jsonl ↗ |
| v0.6.4 | Sat, 30 May 2026 17:13:43 GMT | amd64arm64 | 11 | .intoto.jsonl ↗ |
| v0.6.3 | Sat, 30 May 2026 16:09:42 GMT | amd64arm64 | 11 | .intoto.jsonl ↗ |
| v0.5.0 | Sat, 30 May 2026 03:49:37 GMT | amd64arm64 | 11 | .intoto.jsonl ↗ |
| v0.4.1 | Fri, 29 May 2026 23:48:33 GMT | amd64arm64 | 11 | .intoto.jsonl ↗ |
| v0.2.1 | Fri, 29 May 2026 13:44:59 GMT | amd64arm64 | 11 | .intoto.jsonl ↗ |