bats
A TAP-compliant testing framework for Bash scripts, providing a simple way to write, organize, and run automated tests for shell scripts and command-line tools inside CI/CD pipelines.
What is Bats?
The Bats image packages the Bash Automated Testing System so you can run shell script tests inside containers without installing Bats and its dependencies on the host. Bats provides a bats test runner that executes .bats files — plain Bash scripts with a lightweight test syntax — and outputs TAP-compatible results that integrate with any CI system. It is the standard choice for teams that need to test shell scripts, CLI tools, container entrypoints, and infrastructure automation code in a reproducible, containerized environment. Bats is commonly used alongside tools like bats-support, bats-assert, and bats-file to build expressive, maintainable test suites for Bash-heavy codebases.
What is Echo's Bats image?
Echo's Bats image is a hardened build of Bats on Echo's hardened base. Echo images are designed to be a drop-in replacement: change the FROM line in your Dockerfile and CVEs go to zero without breaking your shell script test suite. Every image is tested across clouds, image use cases, and deployment targets. Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. For Bats specifically, the default variant is the natural fit — shell script testing by definition requires a shell, and the default variant gives you the full Bash environment your tests expect while still dropping the CVE count to zero.
What is the difference between Echo's Bats image and the public Bats image?
Public Bats images ship on general-purpose bases that carry OS-level packages your test runner doesn't need — contributing CVEs that your security team has to track on an image running in every CI pipeline that tests shell scripts. Echo's build trims the base to what Bats actually needs to discover and execute .bats files, removing those CVEs without changing test execution behavior or TAP output compatibility. As we covered in our post on container scanning best practices, CI tooling images are frequently overlooked in vulnerability programs despite running on every commit — making them a persistent, low-visibility risk. Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown — with vulnerabilities triaged within 24 hours. Echo images are recognized by all major scanners and mirrored to all major registries, so they fit into existing pipelines without changing your registry, scanner, or runtime tooling.
FAQ
Can I replace my Bats image with Echo's Bats image?
Yes. Echo's Bats image is a drop-in replacement. Update the FROM line in your Dockerfile or the image reference in your CI pipeline and your test suite keeps running — the CVEs disappear, the behavior doesn't. Test discovery, .bats file execution, TAP output, and helper library compatibility with bats-support, bats-assert, and bats-file all continue to work without any changes to your existing test code.
Is Echo's Bats image FIPS-validated?
Yes. Echo's FIPS-validated images use cryptographic modules with an active FIPS 140-3 CMVP certificate, making them fit for federal use — unlike FIPS-compliant images that haven't been validated. This matters for teams operating CI pipelines inside FedRAMP boundaries where every image in the build and test toolchain is in scope for compliance.
What is Echo's vulnerability management SLA on the Bats image?
Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown — with vulnerabilities triaged within 24 hours. Patches are mirrored automatically into your private registry so you're always running a clean version — important for a CI tooling image that runs on every commit across every pipeline that tests shell scripts.
Is Echo's Bats image distroless?
Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. For Bats, the default variant is typically the right choice — shell script testing requires a full Bash environment by nature. The default variant provides that environment while still delivering a zero-CVE image.
How does Echo achieve such a drastic CVE reduction in Bats?
Echo's Bats image is built from source with only the absolute essentials needed to run the shell testing workload, which significantly shrinks the attack surface. Echo also patches aggressively over time, with backports available so you can stay on the Bats version that works for your test suite without forcing a functional change for the sake of security.
Will Echo's Bats image help us achieve FedRAMP?
Yes. The hard parts of FedRAMP — managing vulnerabilities, applying fixes, and using FIPS-validated cryptography — are baked into Echo images, including STIG-hardened configuration and ConMon/POA&M-ready reporting. For teams operating CI pipelines under an ATO, Echo's hardened Bats image keeps the shell testing layer in-boundary and compliant.
.avif)
