elixir

Runtime · Language runtime · standard · v1.18

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened Elixir runtime on the BEAM, built on Erlang/OTP. Latest stable (1.18).

Image

ghcr.io/quenchworks/images/elixir:1.18

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

63.5 MB

SBOM packages

Last rebuilt

2026-06-14

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/elixir:1.18

Or pull it directly

docker pull ghcr.io/quenchworks/images/elixir:1.18

Version line: 1.18
Latest line: 1.18
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: Apache-2.0

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/elixir:1.18 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/elixir:1.18 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/elixir:1.18 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build hardened images → Image source

Best-practice Dockerfile for 1.18

Build a self-contained OTP release with mix in the build stage, then copy that release onto a clean elixir base. The release bundles the BEAM and your compiled app; only prod deps are included.

ghcr.io/quenchworks/images/elixir:1.18 63.5 MB rebuilt 1 day ago 17 SBOM pkgs

1
# Build stage: fetch deps and assemble a prod mix release.
2
FROM ghcr.io/quenchworks/images/elixir:1.18 AS build
3
USER root
4
WORKDIR /app
5
ENV MIX_ENV=prod \
6
    MIX_HOME=/tmp/mix \
7
    HEX_HOME=/tmp/hex
8

9
RUN ["mix", "local.hex", "--force"]
10
RUN ["mix", "local.rebar", "--force"]
11
COPY mix.exs mix.lock ./
12
RUN ["mix", "deps.get", "--only", "prod"]
13
RUN ["mix", "deps.compile"]
14
COPY . .
15
RUN ["mix", "release"]
16

17
# Runtime stage: copy the self-contained release onto a clean elixir base.
18
FROM ghcr.io/quenchworks/images/elixir:1.18 AS runtime
19
WORKDIR /app
20
ENV HOME=/tmp
21
COPY --from=build /app/_build/prod/rel/app ./
22
USER 1001
23
EXPOSE 4000
24
CMD ["bin/app", "start"]

This Dockerfile is pinned to the 1.18 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build hardened images guide.

Upstream project: https://elixir-lang.org