Distroless images

Definition

Distroless images are container images that contain only the application and its runtime dependencies, excluding the operating system package manager and shell. This approach minimizes the attack surface by reducing the number of components that could potentially be exploited. Distroless images are particularly useful in production environments where security and efficiency are paramount, as they limit the tools available to an attacker who gains access to the container.

Secure Settings Example

# Use a distroless base image for a Go application
FROM golang:1.17 AS builder
WORKDIR /app
COPY ../../../../PycharmProjects/definitions-for-site/content .
RUN go build -o myapp

# Use distroless image for the final stage
FROM gcr.io/distroless/base-debian10
COPY --from=builder /app/myapp /
CMD ["/myapp"]

Insecure Settings Example

# Use a full OS image with unnecessary packages
FROM ubuntu:20.04
WORKDIR /app
COPY . .
RUN apt-get update && apt-get install -y build-essential
RUN gcc -o myapp myapp.c
CMD ["./myapp"]