Artifact Registry is a universal package management service that supports containers and other formats. Learn about transitioning from Container Registry to gain greater flexibility and control over your artifacts.

Managed base images

Managed base images are base container images that are automatically patched by Google for security vulnerabilities, using the most recent patches available from the project upstream (for example, GitHub). These images are available for any GCP customer.

This document describes managed container images and how they're maintained.

For information about the license that applies to managed base images, refer to the managed base images LICENSE file.

Container images and operating systems

When you deploy a container, you choose two separate operating systems and images:

Your container image is built by taking an operating system base image, and adding the packages, libraries, and binaries needed for your application.

How managed base images are maintained

Google maintains base images for building its own applications, including Google Cloud services like Google App Engine.

Managed base images have security properties which can make them desirable for some uses:

  • They're regularly scanned for known vulnerabilities, from the CVE database.

    This scan uses the same functionality as Container Registry Vulnerability Scanning. When a patch is available for a found vulnerability, Google applies that patch.

  • They're built reproducibly, so there is a verifiable path from the source code to the binary.

    You can verify the image by comparing it to the GitHub source, ensuring that the build has not introduced any flaws.

  • They're stored on Google Cloud, so you can pull these directly from your environment without having to traverse networks.

    You can pull these images using Private Google Access. You can of course still use them outside of Google Cloud.

Available container images

Managed base images are available in GCP Marketplace.

Managed base images are available for the following OS distributions:

OS Source Repository path GCP Marketplace listing
CentOS GitHub GCP Marketplace
Debian 9 "Stretch" GitHub GCP Marketplace
Debian 10 "Buster" GitHub GCP Marketplace
Ubuntu 16.04 GitHub GCP Marketplace
Ubuntu 18.04 GitHub GCP Marketplace

Operating system lifecycle and support policy

Support for managed base images is subject to the lifecycles of the corresponding OS distributions. Unless otherwise noted, Google publishes updated images at least monthly. Published updates include security updates and other updates installed for operating system versions that are in the mainstream support stage of their lifecycles.

When an operating system version enters its extended lifecycle stage, Google no longer provides updated images. Google generally does not backport new features to these versions in the extended lifecycle stage or past the extended lifecycle.

Alternative options

If managed base images aren't for you, there are suitable alternatives:

  • Cached images are frequently requested Docker Hub images stored on If you configure your Docker daemon to use cached images, your client always checks for a cached copy of a Docker Hub image before attempting to pull it directly from Docker Hub.

    Learn more about pulling cached images.

For more ways to protect your software supply chain, including image validation, see Help secure software supply chains on Google Kubernetes Engine.