grafana-loki
A horizontally scalable, multi-tenant log aggregation system inspired by Prometheus, indexing only labels and storing log content in cheap object storage like S3 or GCS.
What is Grafana Loki?
The grafana-loki image runs Loki, a log aggregation system designed to be cost-efficient and easy to operate. Loki indexes only metadata (labels) rather than full log content, storing the actual log lines in cheap object storage like S3, GCS, or Azure Blob. It integrates natively with Grafana and is typically paired with Promtail, Fluent Bit, or Grafana Alloy as a log shipper.
What is Echo's Grafana Loki image?
Echo's grafana-loki image is a hardened build of the Loki server. Echo images are designed to be a drop-in replacement: change the FROM line in your Dockerfile and CVEs go to zero without breaking your app. Every image is tested across clouds, image use cases, and deployment targets. Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. Echo images are recognized by all major scanners and mirrored to all major registries, so they fit into existing pipelines without changing your registry, scanner, or runtime tooling.
What is the difference between Echo's Grafana Loki image and the public Grafana Loki image?
Public Loki images carry a Go binary on a base layer that brings unrelated CVEs. Because Loki is often deployed as a multi-component stack (distributor, ingester, querier, gateway), each unpatched CVE in the base shows up multiple times across your cluster. Echo's image keeps only what Loki needs at runtime, dropping the multiplied CVE count to zero. Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown - with vulnerabilities triaged within 24 hours.
FAQ
Can I replace my grafana-loki image with Echo's grafana-loki image?
Yes. Echo's grafana-loki image is a drop-in replacement. Update the FROM line in your Dockerfile (or the image reference in your manifests) and your application keeps working - the CVEs disappear, the behavior doesn't.
Is Echo's grafana-loki image FIPS-validated?
Yes. Echo's FIPS-validated images use cryptographic modules with an active FIPS 140-3 CMVP certificate, making them fit for federal use - unlike FIPS-compliant images that haven't been validated.
What is Echo's vulnerability management SLA on the grafana-loki image?
Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown - with vulnerabilities triaged within 24 hours. Patches are mirrored automatically into your private registry so you're always running a clean version.
Is Echo's grafana-loki image distroless?
Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells.
How does Echo achieve such a drastic CVE reduction in grafana-loki?
Echo grafana-loki is built from source with only the absolute essentials needed to run the workload, which significantly shrinks the attack surface. Echo also patches aggressively over time, with backports available so you can stay on the version that works for you without forcing a functional change for the sake of security.
Will Echo's grafana-loki image help us achieve FedRAMP?
Yes. The hard parts of FedRAMP - managing vulnerabilities, applying fixes, and using FIPS-validated cryptography - are baked into Echo images, including STIG-hardened configuration and ConMon/POA&M-ready reporting.
.avif)
