ruby

Runtime · Language runtime · standard · v3.4

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened Ruby interpreter + bundler. Latest 3 stable (3.2/3.3/3.4).

Version line

3.4 · latest 3.3 3.2

The latest line lives at the base page; older lines have their own page so you can pin and verify exactly that version.

Image

ghcr.io/quenchworks/images/ruby:3.4

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

48.1 MB

SBOM packages

104

Last rebuilt

2026-06-11

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/ruby:3.4

Or pull it directly

docker pull ghcr.io/quenchworks/images/ruby:3.4

Version line: 3.4
Latest line: 3.2, 3.3, 3.4
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: Ruby

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/ruby:3.4 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/ruby:3.4 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/ruby:3.4 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build hardened images → Image source

Best-practice Dockerfile for 3.4

Install gems with Bundler in deployment mode in the build stage, then copy the vendored bundle and app onto a clean ruby base. Native gem build tooling stays behind.

ghcr.io/quenchworks/images/ruby:3.4 48.1 MB rebuilt 4 days ago 104 SBOM pkgs

1
# Build stage: install gems in deployment mode (build deps included).
2
FROM ghcr.io/quenchworks/images/ruby:3.4 AS build
3
USER root
4
WORKDIR /app
5
ENV BUNDLE_PATH=/app/vendor/bundle \
6
    BUNDLE_DEPLOYMENT=true \
7
    BUNDLE_WITHOUT=development:test
8

9
COPY Gemfile Gemfile.lock ./
10
RUN ["bundle", "install"]
11
COPY . .
12

13
# Runtime stage: copy the vendored bundle + app onto a clean ruby base.
14
FROM ghcr.io/quenchworks/images/ruby:3.4 AS runtime
15
WORKDIR /app
16
ENV BUNDLE_PATH=/app/vendor/bundle \
17
    BUNDLE_DEPLOYMENT=true \
18
    BUNDLE_WITHOUT=development:test \
19
    GEM_HOME=/tmp/gem
20
COPY --from=build /app /app
21
USER 1001
22
EXPOSE 3000
23
CMD ["bundle", "exec", "ruby", "app.rb"]

This Dockerfile is pinned to the 3.4 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build hardened images guide.

Upstream project: https://github.com/ruby/ruby