The base image is a critical factor in determining a containerized application's overall responsiveness, resource efficiency, and security. A Bitnami Secure Image (BSI) Node.js Minimal provides a secure and efficient alternative to standard Node.js images. Let's explore why.
What is a BSI Node.js Minimal Image?
The BSI Node.js Minimal image (bitnamisecure/node-min:latest) is a specialized container that contains only the necessary components to run a Node.js application. This approach removes unnecessary binaries such as npm and yarn, along with other libraries and dependencies, making the image significantly smaller and more secure.
The public and up-to-date image is accessible via https://hub.docker.com/u/bitnamisecure.
When to Use BSI Node.js Minimal Image?
A Bitnami Secure Image Node.js Minimal image excels in several key areas:
-
Optimized for Microservices. Minimal images align perfectly with microservices architectures by providing a small footprint. This enables faster deployments, minimizes resource consumption, and makes them ideal for resource-constrained environments like IoT and edge computing.
-
Resource Efficiency: Opting for smaller images can lead to significant savings on cloud storage and bandwidth expenses. Besides, lower resource consumption leads to potential savings on server costs and reduces storage fees.
-
Robust Security by Design: By reducing the number of components, these images minimize the attack surface. This lowers the risk of vulnerabilities and simplifies security auditing, as the image includes only the essential elements needed to run the application.
Containerizing a Node.js Application with BSI Images
Let's walk through building a sample Node.js project and containerizing it with BSI images.
Setting Up the Sample Project
We'll use Express, a lightweight and flexible web framework for Node.js. It's a popular choice for building web applications due to its robust features.
First, we'll create a simple Node.js project with the following two key files:
{
"name": "nodejs-example",
"description": "nodejs example image",
"version": "0.1.0",
"main": "app.js",
"dependencies": {
"express": "^5.1.0"
}
}
-
app.js: The main application entry point, configured to listen on port 8080 and handle requests for the /, /containers, and /charts routes.
const express = require('express');
const app = express();
const router = express.Router();
const path = __dirname + '/views/';
const port = 8080;
router.use(function (req,res,next) {
console.log('/' + req.method);
next();
});
router.get('/', function(req,res){
res.sendFile(path + 'index.html');
});
router.get('/containers', function(req,res){
res.sendFile(path + 'containers.html');
});
router.get('/charts', function(req,res){
res.sendFile(path + 'charts.html');
});
app.use(express.static(path));
app.use('/', router);
app.listen(port, function () {
console.log('Node.js example app listening on port 8080!')
})
Under the views folder, we'll create the HTML and CSS files to style our pages. While this part isn't critical to the main topic of this blog, you can download the complete example from the provided link to get the full code.
Building the Container Image
Once we have the necessary files, we can build our containerized image. We will use a multi-stage build to separate the build environment from the final runtime image. This ensures that build tools like npm, compilers, and other development dependencies are not included in the final image, significantly reducing its size and potential security holes.
The first stage uses the bitnamisecure/node:latest image. This image contains the full set of tools needed to download and install your application's dependencies. This temporary stage is where all the heavy lifting of the build process happens.
The final application is then run using the bitnamisecure/node-min:latest image. This is a minimal, hardened base that includes only the Node.js runtime and essential libraries. By copying only the necessary artifacts from the first stage, we achieve a lightweight and secure final image.
The resulting Dockerfile is shown below:
# Use Node.js image to download deps with npm install
FROM bitnamisecure/node:latest AS builder
WORKDIR /tmp/app
COPY app.js package.json /tmp/app/
COPY views /tmp/app/views
RUN npm install
# Use Node.js minimal image to run our app
FROM bitnamisecure/node-min:latest
WORKDIR /app
COPY --from=builder /tmp/app /app
EXPOSE 8080
ENTRYPOINT ["node", "app.js"]
Let’s build and run this image:
$ docker build -t nodejs-example:latest.
$ docker run --rm -it -p 8080:8080 --name nodejs-example nodejs-example
Navigate your browser to http://localhost:8080. It should load the following landing page:
The final image is a compact 49MB. This result demonstrates the value of using a minimal base image and a multi-stage build to create highly efficient containers.
Security and Compliance: The BSI Advantage
Distroless and Minimal Base
Minimizing the attack surface is a core principle of container security. By including fewer packages and services, you can reduce potential entry points for malicious actors and lower the number of CVEs. This provides a more secure and robust environment for running your applications.
This is precisely why the BSI Node.js Minimal image uses Photon 5 as its base. As a lightweight, distroless Linux distribution, it provides a substantial security boost by implementing this very strategy.
FIPS Compliance
Bitnami Secure Images are built for comprehensive security and compliance, adhering to rigorous standards like FIPS 140-2, SLSA Level 3, and STIG guidelines. This provides a robust foundation, allowing teams to deploy applications that must meet these crucial government and industry security requirements confidently. The bitnamisecure/node-min:latest image is a perfect example of this.
To verify FIPS compliance, we'll build a sample application. It will use crypto.getFips(), which returns 1 if a FIPS-compliant crypto provider is currently in use:
const crypto = require('crypto');
console.log('Is FIPS mode enabled? ' + (crypto.getFips() === 1));
To run this sample, execute the code below:
$ docker run --rm -it -v ./checkfips.js:/app/checkfips.js --name checkfips bitnamisecure/node-min:latest checkfips.js
Is FIPS mode enabled? true
This result confirms that FIPS compliance is enabled by default, ensuring your application meets this critical requirement for regulated industries without any extra configuration.
Comparative Analysis: Size and Security
Now let’s compare the BSI Node.js Minimal image with other popular solutions, including official Node.js images and other alternatives.
The graph below shows the different sizes of the compared images:
Next, to evaluate the security of the bitnamisecure/node-min:latest image, we're going to run a vulnerability scan with Trivy, a widely-used tool that analyzes Docker images and other artifacts for known vulnerabilities:
$ trivy image -q bitnamisecure/node-min:latest
bitnamisecure/node-min:latest (photon 5.0)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
As demonstrated, the bitnamisecure/node-min:latest image represents the most minimal option, with the added benefit of having zero reported CVEs.
Conclusions
The ideal Docker image for Node.js applications strikes a balance between size and security. The bitnamisecure/node-min:latest image excels as the optimal choice because it offers the smallest footprint with the lowest number of CVEs.
This image is particularly well-suited for regulated industries, as it's built to comply with strict regulations like FIPS 140-2 and 140-3. This streamlines compliance and enables confident, secure deployments in environments where efficiency and minimal exposure are critical.
Ready to build more secure, efficient, and compliant applications? Get all the Node.js versions, other popular runtimes, and also ready-to-deploy Helm charts, all available in the Bitnami Secure Images catalog. Reach out to us to learn more!