ReddRadar
Agent skill
implementing-container-image-minimal-base-with-distroless
Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities.
Install this agent skill to your Project
npx add-skill https://github.com/autohandai/community-skills/tree/main/implementing-container-image-minimal-base-with-distroless
SKILL.md
Implementing Container Image Minimal Base with Distroless
Overview
Google distroless images contain only your application and its runtime dependencies, without package managers, shells, or other programs found in standard Linux distributions. By eliminating unnecessary OS components, distroless images achieve up to 95% reduction in attack surface compared to traditional base images like ubuntu or debian. Major projects including Kubernetes itself, Knative, and Tekton use distroless images in production. As of 2025, Docker also offers Hardened Images (DHI) as an open-source alternative for minimal container bases.
Prerequisites
- Docker 20.10+ or compatible container build tool (Buildah, Kaniko)
- Multi-stage Dockerfile knowledge
- Application compiled as a static binary or with runtime bundled
- Container registry for image storage
Available Distroless Images
| Image | Use Case | Size |
|---|---|---|
gcr.io/distroless/static-debian12 |
Statically compiled binaries (Go, Rust) | ~2MB |
gcr.io/distroless/base-debian12 |
Dynamically linked binaries needing glibc | ~20MB |
gcr.io/distroless/cc-debian12 |
C/C++ applications needing libstdc++ | ~25MB |
gcr.io/distroless/java21-debian12 |
Java 21 applications | ~220MB |
gcr.io/distroless/python3-debian12 |
Python 3 applications | ~50MB |
gcr.io/distroless/nodejs22-debian12 |
Node.js 22 applications | ~130MB |
Multi-Stage Build Patterns
Go Application
# Build stage
FROM golang:1.22-bookworm AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server
# Runtime stage - static distroless
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /server /server
USER nonroot:nonroot
ENTRYPOINT ["/server"]
Java Application
# Build stage
FROM maven:3.9-eclipse-temurin-21 AS builder
WORKDIR /app
COPY pom.xml .
RUN mvn dependency:go-offline
COPY src ./src
RUN mvn package -DskipTests
# Runtime stage - Java distroless
FROM gcr.io/distroless/java21-debian12:nonroot
COPY --from=builder /app/target/app.jar /app.jar
USER nonroot:nonroot
ENTRYPOINT ["java", "-jar", "/app.jar"]
Python Application
# Build stage
FROM python:3.12-bookworm AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --target=/deps -r requirements.txt
COPY . .
# Runtime stage - Python distroless
FROM gcr.io/distroless/python3-debian12:nonroot
WORKDIR /app
COPY --from=builder /deps /deps
COPY --from=builder /app /app
ENV PYTHONPATH=/deps
USER nonroot:nonroot
ENTRYPOINT ["python3", "/app/main.py"]
Node.js Application
# Build stage
FROM node:22-bookworm AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY . .
# Runtime stage - Node distroless
FROM gcr.io/distroless/nodejs22-debian12:nonroot
WORKDIR /app
COPY --from=builder /app .
USER nonroot:nonroot
CMD ["server.js"]
Security Benefits
Attack Surface Comparison
| Component | Ubuntu | Alpine | Distroless |
|---|---|---|---|
| Shell (bash/sh) | Yes | Yes | No |
| Package manager | apt | apk | No |
| coreutils | Full | BusyBox | No |
| curl/wget | Yes | Yes | No |
| User management | Yes | Yes | No |
| Known CVEs (typical) | 50-200+ | 5-20 | 0-5 |
| Image size (base) | ~77MB | ~7MB | ~2-20MB |
Security Implications
- No shell: Attackers cannot exec into containers to run commands
- No package manager: Cannot install additional tools or malware
- No coreutils: No
cat,ls,find,curlfor reconnaissance - Minimal CVEs: Fewer packages means fewer vulnerabilities to patch
- Non-root by default:
:nonroottag runs as UID 65534
Debugging Distroless Containers
Since distroless has no shell, use these techniques for debugging:
Debug Image Variant
# Use debug variant in non-production environments only
FROM gcr.io/distroless/base-debian12:debug
# Includes busybox shell at /busybox/sh
# Exec into debug variant
kubectl exec -it pod-name -- /busybox/sh
Ephemeral Debug Containers (Kubernetes 1.25+)
# Attach a debug container with full tooling
kubectl debug -it pod-name --image=busybox:1.36 --target=app-container
Crane/Dive for Image Inspection
# Inspect image layers without running
crane export gcr.io/distroless/static-debian12 - | tar -tf - | head -50
# Analyze image layers
dive gcr.io/distroless/static-debian12
Image Scanning Results
Typical vulnerability comparison using Trivy:
# Scan Ubuntu-based image
trivy image myapp:ubuntu
# Result: 47 vulnerabilities (3 CRITICAL, 12 HIGH)
# Scan Distroless-based image
trivy image myapp:distroless
# Result: 2 vulnerabilities (0 CRITICAL, 0 HIGH)
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
autohandai/community-skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
autohandai/community-skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
autohandai/community-skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
autohandai/community-skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
autohandai/community-skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
autohandai/community-skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?