envoyproxy/envoy

Publish official FIPS-enabled Docker image variant

Open

#45,812 opened on Jun 23, 2026

View on GitHub
 (2 comments) (1 reaction) (0 assignees)C++ (5,373 forks)batch import
area/buildarea/fipsenhancementhelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (Avg merge 8d) (303 merged PRs in 30d)

Description

Title: Publish official FIPS-enabled Docker image variant

Description:

The Envoy build system already supports FIPS via --config=boringssl-fips and
--config=aws-lc-fips. The ask is to publish an additional image variant built with one of those flags as part of the standard release pipeline — no codebase
changes required.

Desired behavior:

A -fips tagged image published alongside each standard release, e.g.:

envoyproxy/envoy:distroless-fips-v1.X.Y

Built with --config=aws-lc-fips (preferred — broader architecture support than
--config=boringssl-fips, which is Linux x86_64 only).

Scenario it enables:

Organizations with FIPS 140 compliance requirements currently have no official
path to a FIPS-enabled Envoy image. Existing options are either EOL (AWS App Mesh prod-fips, discontinued September 2026), commercial-only (Tetrate, Solo.io), or
require teams to own and maintain a self-build pipeline.

Relevant links:

Contributor guide