New for 2026: Image now published from ghcr.io
Within most teams or organizations, every executor image will require a certain amount of common configuration regardless of the purpose for which it is built. The PSK base image, ghcr.io/twplatformlabs/circleci-base-image, is an example of such an image.
Packages that typically fall into this set of shared executor requirements include things like:
- nonroot USER definition
- tool for accessing secrets (such as Vault, chamber, 1password)
- standard shell (bash, zsh)
- multi-language support (locales)
- common dependencies for installing packages (curl, wget, unzip, common os build dependencies)
- Dependencies for common interaction with observability toling (buildevents)
Note: This image was previously published to Dockerhub as twdps/circleci-base-image. Beginning in February 2026, circleci-base-image is now released from ghcr.io/twplatformlabs.
Review the build and CVE scan logs in the release artifacts for specific packages versions and known vulnerabilities (if any).
signature. Images are signed using cosign. Verify images using the twplatformlabs public key.
cosign verify --key cosign.pub ghcr.io/twplatformlabs/circleci-base-image:alpine-2025.04provenance and bill of materials. For each published image, a provenance and Software Bill of Materials is generated by buildx and added as an attestation. Use common tools for inspection.
Or, use the from-manifest.sh script to print json versions of either to stdout.
This image has the following tagging scheme:
ghcr.io/twplatformlabs/circleci-base-image:[alpine | ubuntu]-<YYYY.MM>
ghcr.io/twplatformlabs/circleci-base-image:[alpine | ubuntu]-latest
ghcr.io/twplatformlabs/circleci-base-image:[alpine | ubuntu]-dev.SHA:0:7
-<YYYY.MM> - Release version of the image, referred to by the 4 digit year, dot, and a 2 digit month. For example 2026.02 would be the monthly tag from April 2025. This image is generated monthly, based on the then current release of the base image and related packages and provides a predictable fixed point for use in an executor Dockerfile. Review the build log in the pipeline artifacts for the specific image and package versions. Occasionally there will be interim patches released and you may see 2026.02.1 or addtional numbered versions.
-latest - generic tag that always points to the latest, monthly release image. Typically used by other recurring builds and not recommended for pipeline usage. Pin pipelines to specific month-tagged builds.
-dev.SHA:0:7 - is the latest development of the Base image. Built from the HEAD of the main branch. Intended to be used as a testing version of the image with the most recent changes.