dotnet-runtime 8

Runtime · Runtime base · standard · v8

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened .NET runtime for console and worker apps, no SDK. Build on the dotnet image, run here. Lines 8/9/10.

Version line

10 · latest 9 8

The latest line lives at the base page; older lines have their own page so you can pin and verify exactly that version.

Image

ghcr.io/quenchworks/images/dotnet-runtime:8

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

59.6 MB

SBOM packages

Last rebuilt

2026-06-11

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/dotnet-runtime:8

Or pull it directly

docker pull ghcr.io/quenchworks/images/dotnet-runtime:8

Version line: 8
Latest line: 8, 9, 10
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: MIT

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/dotnet-runtime:8 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/dotnet-runtime:8 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/dotnet-runtime:8 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build a .NET app → Image source

Best-practice Dockerfile for 8

dotnet-runtime is a runtime base you copy a published console or worker app onto, not something you build in. Here dotnet publish runs in an SDK build stage and the dotnet-runtime image is the final stage that runs it.

ghcr.io/quenchworks/images/dotnet-runtime:8 59.6 MB rebuilt 4 days ago 18 SBOM pkgs

1
# Build stage: restore and publish the worker/console app with the SDK.
2
FROM ghcr.io/quenchworks/images/dotnet:8 AS build
3
USER root
4
WORKDIR /src
5
ENV NUGET_PACKAGES=/tmp/nuget \
6
    DOTNET_CLI_TELEMETRY_OPTOUT=1
7

8
COPY ["Worker.csproj", "./"]
9
RUN ["dotnet", "restore", "Worker.csproj"]
10
COPY . .
11
RUN ["dotnet", "publish", "Worker.csproj", "-c", "Release", "-o", "/app/publish", "--no-restore"]
12

13
# This image is the final runtime stage: the plain .NET runtime, nonroot.
14
FROM ghcr.io/quenchworks/images/dotnet-runtime:8 AS runtime
15
WORKDIR /app
16
COPY --from=build /app/publish ./
17
USER 1001
18
ENTRYPOINT ["dotnet", "Worker.dll"]

This Dockerfile is pinned to the 8 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build a .NET app guide.

Upstream project: https://github.com/dotnet/runtime