Frequently asked questions

Everything about how customcontainer builds minimal, purpose-built PHP images from your composer.lock — image size, security updates, tooling and attack surface.

How can a customcontainer PHP image be so much smaller than the official Docker Hub image?

customcontainer images are assembled from your actual composer.lock dependencies. They contain the PHP runtime, the extensions your application really uses and the libraries those extensions link against — nothing else. No package manager, no shells or distro tooling unless you explicitly add them. The result is often a tenth of the size of a generic base image.

Do I need special tooling to pull customcontainer images?

No. Every account gets a private standard OCI registry endpoint. You pull your image with plain docker pull or podman pull, exactly like any image from Docker Hub.

Does removing a PHP extension really improve security?

Yes. A vulnerability in an extension can only be exploited if that extension is present in the running image. Extensions like imap, imagick, phar or the XML stack have a long CVE history; if your application never uses them, shipping them only adds risk. customcontainer builds the image from your composer.lock, so extensions you don't use are simply not there.

What happens when a single PHP extension gets a security fix?

Every extension lives in its own image layer. When one extension or the library it links against gets a security fix, customcontainer rebuilds just the affected layer, publishes a new semver-tagged image version automatically and notifies you via webhook — usually within hours, without waiting for an upstream base-image rebuild or running your own build pipeline.

Which PHP extensions have the worst security track record?

The heaviest offenders parse untrusted input or deserialize data: imagick (ImageMagick), gd and exif for images, phar and wddx for deserialization, imap (RCE via imap_open) and the libxml/soap XML stack for XXE. Several — wddx, xmlrpc and imap — were considered risky enough that PHP itself removed or relocated them.

Still curious?

Build your image in under a minute.

Paste your composer.lock on the start page and pull a purpose-built PHP image right away — no account, no build pipeline, no credit card.