NATS 2
hardened
latest
Size Reduction
-408%
17.2 MB to 87.5 MB (-70.3 MB saved)
Component Reduction
-167%
12 to 32 packages (-20 removed)
Vulnerability Reduction
20%
10 to 8 vulnerabilities (2 eliminated)
Image Comparison
| Property | upstream | hardened |
|---|---|---|
| Image | docker.io/library/nats:2.12.2 | ghcr.io/armorred/nats:2-hardened |
| Size | 17.2 MB | 87.5 MB |
| Layers | 2 | 22 |
| Components | 12 | 32 |
| Vulnerabilities | 10 | 8 |
| Runtime User | root | 999 |
Vulnerability Analysis
upstream
10 total
hardened
8 total
Upstream vulnerability details (10)
| CVE ID | Severity | Package | Version | Fixed In |
|---|---|---|---|---|
| GO-2025-4134 | medium | golang.org/x/crypto | v0.43.0 | 0.45.0 |
| GO-2025-4135 | medium | golang.org/x/crypto | v0.43.0 | 0.45.0 |
| GHSA-f6x5-jh6r-wrfv | medium | golang.org/x/crypto | v0.43.0 | 0.45.0 |
| GHSA-j5w8-q4qc-rx2x | medium | golang.org/x/crypto | v0.43.0 | 0.45.0 |
| GO-2025-4155 | unknown | stdlib | 1.25.4 | 1.24.11 |
| GO-2025-4175 | unknown | stdlib | 1.25.4 | 1.24.11 |
| GO-2026-4337 | unknown | stdlib | 1.25.4 | 1.24.13 |
| GO-2026-4340 | unknown | stdlib | 1.25.4 | 1.24.12 |
| GO-2026-4341 | unknown | stdlib | 1.25.4 | 1.24.12 |
| GO-2026-4342 | unknown | stdlib | 1.25.4 | 1.24.12 |
Hardened vulnerability details (8)
| CVE ID | Severity | Package | Version | Fixed In |
|---|---|---|---|---|
| GO-2025-4134 | medium | golang.org/x/crypto | v0.43.0 | 0.45.0 |
| GO-2025-4135 | medium | golang.org/x/crypto | v0.43.0 | 0.45.0 |
| GHSA-f6x5-jh6r-wrfv | medium | golang.org/x/crypto | v0.43.0 | 0.45.0 |
| GHSA-j5w8-q4qc-rx2x | medium | golang.org/x/crypto | v0.43.0 | 0.45.0 |
| GO-2026-4337 | unknown | stdlib | 1.25.5 | 1.24.13 |
| GO-2026-4340 | unknown | stdlib | 1.25.5 | 1.24.12 |
| GO-2026-4341 | unknown | stdlib | 1.25.5 | 1.24.12 |
| GO-2026-4342 | unknown | stdlib | 1.25.5 | 1.24.12 |
Software Bill of Materials
upstream components (12)
- github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op
- github.com/klauspost/compress v1.18.1
- github.com/minio/highwayhash v1.0.4-0.20251030100505-070ab1a87a76
- github.com/nats-io/jwt/v2 v2.8.0
- github.com/nats-io/nats-server/v2 v2.12.2
- github.com/nats-io/nkeys v0.4.11
- github.com/nats-io/nuid v1.0.1
- go.uber.org/automaxprocs v1.6.0
- golang.org/x/crypto v0.43.0
- golang.org/x/sys v0.38.0
- golang.org/x/time v0.14.0
- stdlib go1.25.4
hardened components (32)
- acl 2.3.2
- attr 2.5.2
- bash-interactive 5.3p3
- coreutils 9.8
- gawk 5.3.2
- gcc 15.2.0
- gcc 15.2.0
- github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op
- github.com/klauspost/compress v1.18.1
- github.com/minio/highwayhash v1.0.4-0.20251030100505-070ab1a87a76
- github.com/nats-io/jwt/v2 v2.8.0
- github.com/nats-io/nats-server/v2 UNKNOWN
- github.com/nats-io/nkeys v0.4.11
- github.com/nats-io/nuid v1.0.1
- glibc 2.40-66
- gmp-with-cxx 6.3.0
- gnugrep 3.12
- go.uber.org/automaxprocs v1.6.0
- golang.org/x/crypto v0.43.0
- golang.org/x/sys v0.38.0
- golang.org/x/time v0.14.0
- iana-etc 20250505
- libidn2 2.3.8
- libunistring 1.4.1
- mailcap 2.1.54
- nats-server 2.12.2
- ncurses 6.5
- pcre2 10.46
- readline 8.3p1
- stdlib go1.25.5
- tzdata 2025b
- xgcc 15.2.0
Download SBOMs
Usage
$
podman pull ghcr.io/armorred/nats:2
Verify Signature
$
cosign verify --key https://armorred.org/cosign.pub ghcr.io/armorred/nats:2