Base images

Stay organized with collections Save and categorize content based on your preferences.

This page provides an overview of Google-provided base container images.

What are base images?

Most container-based development starts with a base image and layers on top of it the necessary libraries, binaries, and configuration files necessary to run an application. The base image is the starting point for most container-based development workflows.

Most base images are basic or minimal Linux distributions: Debian, Ubuntu, Redhat, Centos, or Alpine. Developers usually consume these images directly from Docker Hub, or other sources. There are official providers along with a wide variety of other downstream repackagers that layer software to meet customer needs.

Google provides the following two solutions for base images:

  • Google maintains base images for building its own applications. These images are available to users at Google Cloud Marketplace. Google maintains these images on a best effort basis.

  • Google provides a secure image pipeline, which is an open source tool that enables you to generate and maintain your own secure base images. You can consume these images from your Google Cloud project.

Google-provided base images

Google-provided base images are available for the following OS distributions:

OS Source Repository path Google Cloud Marketplace listing
CentOS 7 GitHub Google Cloud Marketplace
CentOS 8 GitHub Google Cloud Marketplace
Debian 9 "Stretch" GitHub Google Cloud Marketplace
Debian 10 "Buster" GitHub Google Cloud Marketplace
Debian 11 "Bullseye" GitHub Google Cloud Marketplace
Ubuntu 18.04 GitHub Google Cloud Marketplace
Ubuntu 20.04 GitHub Google Cloud Marketplace

For information about the license that applies to base images, refer to the base images LICENSE file.

The Google-provided base images have the following advantages:

Scanned for known vulnerabilities

They're regularly scanned for known vulnerabilities from the CVE database.

This scan uses the same functionality as Artifact Registry Vulnerability Scanning. When a patch is available for a found vulnerability, Google applies that patch.

Built reproducibly

They're built reproducibly so there is a verifiable path from the source code to the binary.

You can verify the image by comparing it to the GitHub source, ensuring that the build has not introduced any flaws.

Stored on Google Cloud

They're stored on Google Cloud so you can pull these directly from your environment without having to traverse networks.

Secure image pipeline

All of the out-of-the-box base images suffer from the inability of consumers to audit what is in them. There is no visibility to the sources, build and test processes, or methods of handling the images. Bad actors often add malicious software downstream of the base images. When users consume base images from the public repositories, there is no control of the software supply chain at the root of their application environment.

So, when customers have compliance needs that require auditing every piece of software they run and the environments in which they run, they build something in house. The work to do so takes effort to build and maintain.

Secure image pipeline enables you to generate and maintain your own secure base images. You can consume the generated base images from your Google Cloud project.

You can generate base images for the following OS distributions:

  • Debian
  • Ubuntu
  • CentOS
  • Alpine

For instructions on setting up your secure image pipeline see Creating the secure image pipeline.

Alternative options

If base images aren't for you, you can use Cached images, which are frequently requested Docker Hub images stored on If you configure your Docker daemon to use cached images, your client always checks for a cached copy of a Docker Hub image before attempting to pull it directly from Docker Hub.

Learn more about pulling cached images.

For more ways to protect your software supply chain, including image validation, see Help secure software supply chains on Google Kubernetes Engine.

What's next