perl

Runtime · Language runtime · standard · v5

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened Perl interpreter for scripts and tooling. Latest stable (5).

Image

ghcr.io/quenchworks/images/perl:5

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

14.8 MB

SBOM packages

Last rebuilt

2026-06-05

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/perl:5

Or pull it directly

docker pull ghcr.io/quenchworks/images/perl:5

Version line: 5
Latest line: 5
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: Artistic-1.0-Perl OR GPL-1.0+

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/perl:5 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/perl:5 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/perl:5 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build hardened images → Image source

Best-practice Dockerfile for 5

Install CPAN dependencies into a local lib with cpanm in the build stage, then copy that tree and the app onto a clean perl base.

ghcr.io/quenchworks/images/perl:5 14.8 MB rebuilt 10 days ago 12 SBOM pkgs

1
# Build stage: install CPAN deps into a local lib (build deps included).
2
FROM ghcr.io/quenchworks/images/perl:5 AS build
3
USER root
4
WORKDIR /app
5
ENV PERL_CPANM_HOME=/tmp/cpanm
6

7
COPY cpanfile ./
8
RUN ["cpanm", "--notest", "--local-lib=/app/local", "--installdeps", "."]
9
COPY . .
10

11
# Runtime stage: copy the local lib + app onto a clean perl base.
12
FROM ghcr.io/quenchworks/images/perl:5 AS runtime
13
WORKDIR /app
14
ENV PERL5LIB=/app/local/lib/perl5 \
15
    PATH="/app/local/bin:$PATH"
16
COPY --from=build /app /app
17
USER 1001
18
EXPOSE 5000
19
CMD ["perl", "app.pl"]

This Dockerfile is pinned to the 5 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build hardened images guide.

Upstream project: https://www.perl.org