{"id":13395184,"url":"https://github.com/firecracker-microvm/firecracker","last_synced_at":"2026-04-08T01:01:15.300Z","repository":{"id":37335924,"uuid":"107505869","full_name":"firecracker-microvm/firecracker","owner":"firecracker-microvm","description":"Secure and fast microVMs for serverless computing.","archived":false,"fork":false,"pushed_at":"2026-04-01T09:16:30.000Z","size":39017,"stargazers_count":33398,"open_issues_count":83,"forks_count":2323,"subscribers_count":345,"default_branch":"main","last_synced_at":"2026-04-01T11:28:00.803Z","etag":null,"topics":["containers","minimalist","open-source","oversubscription","rust","sandbox","serverless","virtual-machine","virtualization"],"latest_commit_sha":null,"homepage":"http://firecracker-microvm.io","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/firecracker-microvm.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-10-19T06:18:47.000Z","updated_at":"2026-04-01T09:14:56.000Z","dependencies_parsed_at":"2023-11-19T12:32:23.917Z","dependency_job_id":null,"html_url":"https://github.com/firecracker-microvm/firecracker","commit_stats":{"total_commits":6115,"total_committers":251,"mean_commits":"24.362549800796813","dds":0.8979558462796402,"last_synced_commit":"a364da806f8093e8d8ab1a8287be4a0efd4e4658"},"previous_names":[],"tags_count":104,"template":false,"template_full_name":null,"purl":"pkg:github/firecracker-microvm/firecracker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/firecracker-microvm%2Ffirecracker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/firecracker-microvm%2Ffirecracker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/firecracker-microvm%2Ffirecracker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/firecracker-microvm%2Ffirecracker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/firecracker-microvm","download_url":"https://codeload.github.com/firecracker-microvm/firecracker/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/firecracker-microvm%2Ffirecracker/sbom","scorecard":{"id":400741,"data":{"date":"2025-08-11","repo":{"name":"github.com/firecracker-microvm/firecracker","commit":"d974044cc10721dac10cb3722ad7a21e61150d56"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.7,"checks":[{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/deny_dirty_cargo_locks.yml:1","Warn: no topLevel permission defined: .github/workflows/dependency_modification_check.yml:1","Warn: no topLevel permission defined: .github/workflows/send_pr_notification.yml:1","Warn: no topLevel permission defined: .github/workflows/send_release_notification.yml:1","Warn: no topLevel permission defined: .github/workflows/trigger_ab_tests.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":8,"reason":"binaries present in source code","details":["Warn: binary detected: src/vmm/src/test_utils/mock_resources/test_elf.bin:1","Warn: binary detected: src/vmm/src/test_utils/mock_resources/test_noisy_elf.bin:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.12.1 not signed: https://api.github.com/repos/firecracker-microvm/firecracker/releases/227376636","Warn: release artifact v1.12.0 not signed: https://api.github.com/repos/firecracker-microvm/firecracker/releases/217019241","Warn: release artifact v1.11.0 not signed: https://api.github.com/repos/firecracker-microvm/firecracker/releases/206571629","Warn: release artifact v1.10.1 not signed: https://api.github.com/repos/firecracker-microvm/firecracker/releases/185149401","Warn: release artifact v1.10.0 not signed: https://api.github.com/repos/firecracker-microvm/firecracker/releases/184207689","Warn: release artifact v1.12.1 does not have provenance: https://api.github.com/repos/firecracker-microvm/firecracker/releases/227376636","Warn: release artifact v1.12.0 does not have provenance: https://api.github.com/repos/firecracker-microvm/firecracker/releases/217019241","Warn: release artifact v1.11.0 does not have provenance: https://api.github.com/repos/firecracker-microvm/firecracker/releases/206571629","Warn: release artifact v1.10.1 does not have provenance: https://api.github.com/repos/firecracker-microvm/firecracker/releases/185149401","Warn: release artifact v1.10.0 does not have provenance: https://api.github.com/repos/firecracker-microvm/firecracker/releases/184207689"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Info: Possibly incomplete results: error parsing shell code: invalid parameter name: .github/workflows/send_pr_notification.yml:12","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deny_dirty_cargo_locks.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/firecracker-microvm/firecracker/deny_dirty_cargo_locks.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency_modification_check.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/firecracker-microvm/firecracker/dependency_modification_check.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger_ab_tests.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/firecracker-microvm/firecracker/trigger_ab_tests.yml/main?enable=pin","Warn: containerImage not pinned by hash: tools/devctr/Dockerfile:1: pin your Docker image by updating public.ecr.aws/lts/ubuntu:24.04 to public.ecr.aws/lts/ubuntu:24.04@sha256:bd47de2dd50fdb528b59d3a3eff2d1a8618f8e1da8ed8e2daebda71da9c0062f","Warn: pipCommand not pinned by hash: tools/devctr/Dockerfile:23-43","Warn: pipCommand not pinned by hash: tools/devctr/Dockerfile:47-89","Warn: downloadThenRun not pinned by hash: tools/devctr/Dockerfile:119-151","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 pipCommand dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: RUSTSEC-2024-0436"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T20:01:44.366Z","repository_id":37335924,"created_at":"2025-08-18T20:01:44.366Z","updated_at":"2025-08-18T20:01:44.366Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31535203,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T16:28:08.000Z","status":"ssl_error","status_checked_at":"2026-04-07T16:28:06.951Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","minimalist","open-source","oversubscription","rust","sandbox","serverless","virtual-machine","virtualization"],"created_at":"2024-07-30T17:01:45.392Z","updated_at":"2026-04-08T01:01:15.291Z","avatar_url":"https://github.com/firecracker-microvm.png","language":"Rust","readme":"\u003cpicture\u003e\n   \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"docs/images/fc_logo_full_transparent-bg_white-fg.png\"\u003e\n   \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"docs/images/fc_logo_full_transparent-bg.png\"\u003e\n   \u003cimg alt=\"Firecracker Logo Title\" width=\"750\" src=\"docs/images/fc_logo_full_transparent-bg.png\"\u003e\n\u003c/picture\u003e\n\nOur mission is to enable secure, multi-tenant, minimal-overhead execution of\ncontainer and function workloads.\n\nRead more about the Firecracker Charter [here](CHARTER.md).\n\n## What is Firecracker?\n\nFirecracker is an open source virtualization technology that is purpose-built\nfor creating and managing secure, multi-tenant container and function-based\nservices that provide serverless operational models. Firecracker runs workloads\nin lightweight virtual machines, called microVMs, which combine the security and\nisolation properties provided by hardware virtualization technology with the\nspeed and flexibility of containers.\n\n## Overview\n\nThe main component of Firecracker is a virtual machine monitor (VMM) that uses\nthe Linux Kernel Virtual Machine (KVM) to create and run microVMs. Firecracker\nhas a minimalist design. It excludes unnecessary devices and guest-facing\nfunctionality to reduce the memory footprint and attack surface area of each\nmicroVM. This improves security, decreases the startup time, and increases\nhardware utilization. Firecracker has also been integrated in container\nruntimes, for example\n[Kata Containers](https://github.com/kata-containers/kata-containers) and\n[Flintlock](https://github.com/liquidmetal-dev/flintlock).\n\nFirecracker was developed at Amazon Web Services to accelerate the speed and\nefficiency of services like [AWS Lambda](https://aws.amazon.com/lambda/) and\n[AWS Fargate](https://aws.amazon.com/fargate/). Firecracker is open sourced\nunder [Apache version 2.0](LICENSE).\n\nTo read more about Firecracker, check out\n[firecracker-microvm.io](https://firecracker-microvm.github.io).\n\n## Getting Started\n\nTo get started with Firecracker, download the latest\n[release](https://github.com/firecracker-microvm/firecracker/releases) binaries\nor build it from source.\n\nYou can build Firecracker on any Unix/Linux system that has Docker running (we\nuse a development container) and `bash` installed, as follows:\n\n```bash\ngit clone https://github.com/firecracker-microvm/firecracker\ncd firecracker\ntools/devtool build\ntoolchain=\"$(uname -m)-unknown-linux-musl\"\n```\n\nThe Firecracker binary will be placed at\n`build/cargo_target/${toolchain}/debug/firecracker`. For more information on\nbuilding, testing, and running Firecracker, go to the\n[quickstart guide](docs/getting-started.md).\n\nThe overall security of Firecracker microVMs, including the ability to meet the\ncriteria for safe multi-tenant computing, depends on a well configured Linux\nhost operating system. A configuration that we believe meets this bar is\nincluded in [the production host setup document](docs/prod-host-setup.md).\n\n## Contributing\n\nFirecracker is already running production workloads within AWS, but it's still\nDay 1 on the journey guided by our [mission](CHARTER.md). There's a lot more to\nbuild and we welcome all contributions.\n\nTo contribute to Firecracker, check out the development setup section in the\n[getting started guide](docs/getting-started.md) and then the Firecracker\n[contribution guidelines](CONTRIBUTING.md).\n\n## Releases\n\nNew Firecracker versions are released via the GitHub repository\n[releases](https://github.com/firecracker-microvm/firecracker/releases) page,\ntypically every two or three months. A history of changes is recorded in our\n[changelog](CHANGELOG.md).\n\nThe Firecracker release policy is detailed [here](docs/RELEASE_POLICY.md).\n\n## Design\n\nFirecracker's overall architecture is described in\n[the design document](docs/design.md).\n\n## Features \u0026 Capabilities\n\nFirecracker consists of a single micro Virtual Machine Manager process that\nexposes an API endpoint to the host once started. The API is\n[specified in OpenAPI format](src/firecracker/swagger/firecracker.yaml). Read\nmore about it in the [API docs](docs/api_requests).\n\nThe **API endpoint** can be used to:\n\n- Configure the microvm by:\n  - Setting the number of vCPUs (the default is 1).\n  - Setting the memory size (the default is 128 MiB).\n  - Configuring a [CPU template](docs/cpu_templates/cpu-templates.md).\n- Add one or more network interfaces to the microVM.\n- Add one or more read-write or read-only disks to the microVM, each represented\n  by a file-backed block device.\n- Trigger a block device re-scan while the guest is running. This enables the\n  guest OS to pick up size changes to the block device's backing file.\n- Change the backing file for a block device, before or after the guest boots.\n- Configure rate limiters for virtio devices which can limit the bandwidth,\n  operations per second, or both.\n- Configure the logging and metric system.\n- `[BETA]` Configure the data tree of the guest-facing metadata service. The\n  service is only available to the guest if this resource is configured.\n- Add a [vsock socket](docs/vsock.md) to the microVM.\n- Add a [entropy device](docs/entropy.md) to the microVM.\n- Add a [pmem device](docs/pmem.md) to the microVM.\n- Configure and manage [memory hotplugging](docs/memory-hotplug.md).\n- Start the microVM using a given kernel image, root file system, and boot\n  arguments.\n- [x86_64 only] Stop the microVM.\n\n**Built-in Capabilities**:\n\n- Demand fault paging and CPU oversubscription enabled by default.\n- Advanced, thread-specific seccomp filters for enhanced security.\n- [Jailer](docs/jailer.md) process for starting Firecracker in production\n  scenarios; applies a cgroup/namespace isolation barrier and then drops\n  privileges.\n\n## Tested platforms\n\nWe test all combinations of:\n\n| Instance                                    | Host OS \u0026 Kernel | Guest Rootfs | Guest Kernel |\n| :------------------------------------------ | :--------------- | :----------- | :----------- |\n| m5n.metal (Intel Cascade Lake)              | al2 linux_5.10   | ubuntu 24.04 | linux_5.10   |\n| m6i.metal (Intel Ice Lake)                  | al2023 linux_6.1 |              | linux_6.1    |\n| m7i.metal-24xl (Intel Sapphire Rapids)      |                  |              |              |\n| m7i.metal-48xl (Intel Sapphire Rapids)      |                  |              |              |\n| **m8i.metal-48xl (Intel Granite Rapids)\\*** |                  |              |              |\n| **m8i.metal-96xl (Intel Granite Rapids)\\*** |                  |              |              |\n| m6a.metal (AMD Milan)                       |                  |              |              |\n| m7a.metal-48xl (AMD Genoa)                  |                  |              |              |\n| m6g.metal (Graviton 2)                      |                  |              |              |\n| m7g.metal (Graviton 3)                      |                  |              |              |\n| m8g.metal-24xl (Graviton 4)                 |                  |              |              |\n| m8g.metal-48xl (Graviton 4)                 |                  |              |              |\n\n**\\***: We **only** support AWS EC2 8th Gen Intel (\\*8i) instances using a 6.1\nhost kernel. This is due to poor kernel support for Granite Rapids CPUs on 5.10.\n\n## Known issues and Limitations\n\n- The `pl031` RTC device on aarch64 does not support interrupts, so guest\n  programs which use an RTC alarm (e.g. `hwclock`) will not work.\n\n## Performance\n\nFirecracker's performance characteristics are listed as part of the\n[specification documentation](SPECIFICATION.md). All specifications are a part\nof our commitment to supporting container and function workloads in serverless\noperational models, and are therefore enforced via continuous integration\ntesting.\n\n## Policy for Security Disclosures\n\nThe security of Firecracker is our top priority. If you suspect you have\nuncovered a vulnerability, contact us privately, as outlined in our\n[security policy document](SECURITY.md); we will immediately prioritize your\ndisclosure.\n\n## FAQ \u0026 Contact\n\nFrequently asked questions are collected in our [FAQ doc](FAQ.md).\n\nYou can get in touch with the Firecracker community in the following ways:\n\n- Security-related issues, see our [security policy document](SECURITY.md).\n- Chat with us on our\n  [Slack workspace](https://join.slack.com/t/firecracker-microvm/shared_invite/zt-2tc0mfxpc-tU~HYAYSzLDl5XGGJU3YIg)\n  _Note: most of the maintainers are on a European time zone._\n- Open a GitHub issue in this repository.\n- Email the maintainers at\n  [firecracker-maintainers@amazon.com](mailto:firecracker-maintainers@amazon.com).\n\nWhen communicating within the Firecracker community, please mind our\n[code of conduct](CODE_OF_CONDUCT.md).\n","funding_links":[],"categories":["Research Projects","Rust","Applications","NF Development Projects","应用程序 Applications","Misc","Serverless","Uncategorized","Containers","HarmonyOS","应用 Applications","其他__大数据","12. Case Studies and Real-World Examples","应用","serverless","**Sandboxing Technologies Feature Matrix**","Repos","Projects","open-source","Tools","Related projects","Virtualization","Runtime","虚拟化","Serverless Platforms","\u003ca name=\"Rust\"\u003e\u003c/a\u003eRust","Agent Runtime Infrastructure","Software Development"],"sub_categories":["AMD","Virtualization","Blogs and Websites","虚拟化 Virtualization","Uncategorized","Windows Manager","网络服务_其他","Frameworks","12.1 Firecracker","虚拟化","**2.1. Micro-Virtual Machines (MicroVMs): Hardware-Level Isolation**","Security","Mesh networks","Books","Codex Resources","Cloud Native"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffirecracker-microvm%2Ffirecracker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffirecracker-microvm%2Ffirecracker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffirecracker-microvm%2Ffirecracker/lists"}