New for 2026: Image now published from ghcr.io
Enterprises using CircleCI will find that building executors is a common task. Having a dedicated resource, pre-configured and maintained with image testing frameworks, security scanning, and provenance tools will make for a consistent, quality experience.
Note: This image was previously published to Dockerhub as twdps/circleci-executor-builder. Beginning in February 2026, image is now released from ghcr.io/twplatformlabs/circleci-executor-builder.
The PSK builder includes common tools:
configuration testing
scanning
provenance
Review the build and CVE scan logs in the release assets for specific packages versions and known vulnerabilities (if any).
signature. Images are signed using cosign. Verify images using the twplatformlabs public key.
cosign verify --key cosign.pub twdps/circleci-executor-builder:alpine-2025.04provenance and bill of materials. For each published image, a provenance and Software Bill of Materials is generated by buildx and added as an attestation. Use common tools for inspection.
Or, use the from-manifest.sh script to print json versions of either to stdout.
This image has the following tagging scheme:
ghcr.io/twplatformlabs/circleci-executor-builder:[alpine | ubuntu]-<YYYY.MM>
ghcr.io/twplatformlabs/circleci-executor-builder::[alpine | ubuntu]-latest
ghcr.io/twplatformlabs/circleci-executor-builder:[alpine | ubuntu]-dev.SHA:0:7
-<YYYY.MM> - Release version of the image, referred to by the 4 digit year, dot, and a 2 digit month. For example 2025.04 would be the monthly tag from April 2025. This image is generated monthly, based on the then current release of the base image and related packages and provides a predictable fixed point for use in an executor Dockerfile. Review the build log in the pipeline artifacts for the specific image and package versions. Occasionally there will be interim patches released and you may see 2025.04.1 or addtional numbered versions.
-latest - generic tag that always points to the latest, monthly release image. Typically used by other recurring builds and not recommended for pipeline usage. Pin pipelines to specific month-tagged builds.
-dev.SHA:0:7 - is the latest development of the Base image. Built from the HEAD of the main branch. Intended to be used as a testing version of the image with the most recent changes.