go 1.25

Runtime · Language runtime · standard · v1.25

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened Go toolchain for builds; pair with a minimal base for the runtime. Latest 3 stable (1.24/1.25/1.26).

Version line

1.26 · latest 1.25 1.24

The latest line lives at the base page; older lines have their own page so you can pin and verify exactly that version.

Image

ghcr.io/quenchworks/images/go:1.25

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

251.0 MB

SBOM packages

Last rebuilt

2026-06-14

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/go:1.25

Or pull it directly

docker pull ghcr.io/quenchworks/images/go:1.25

Version line: 1.25
Latest line: 1.24, 1.25, 1.26
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: BSD-3-Clause

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/go:1.25 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/go:1.25 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/go:1.25 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build a Go or Rust binary → Image source

Best-practice Dockerfile for 1.25

The classic two-stage Go build: compile a fully static binary with CGO disabled on the go image, then copy that one file onto the tiny static base. No toolchain, no shell, no package manager in the final image.

ghcr.io/quenchworks/images/go:1.25 251.0 MB rebuilt 1 day ago 53 SBOM pkgs

1
# Build stage: compile a fully static binary.
2
FROM ghcr.io/quenchworks/images/go:1.25 AS build
3
USER root
4
WORKDIR /src
5
# CGO off makes the binary static; caches go to /tmp for the read-only rootfs.
6
ENV CGO_ENABLED=0 \
7
    GOOS=linux \
8
    GOCACHE=/tmp/gocache \
9
    GOMODCACHE=/tmp/gomodcache
10

11
COPY go.mod go.sum ./
12
RUN ["go", "mod", "download"]
13
COPY . .
14
RUN ["go", "build", "-trimpath", "-ldflags=-s -w", "-o", "/out/app", "./cmd/app"]
15

16
# Runtime stage: just the binary on the tiny static base, nonroot.
17
FROM ghcr.io/quenchworks/images/static
18
COPY --from=build /out/app /app
19
USER 1001
20
EXPOSE 8080
21
ENTRYPOINT ["/app"]

This Dockerfile is pinned to the 1.25 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build a Go or Rust binary guide.

Upstream project: https://github.com/golang/go