CG
SkillsImplementing Container Image Minimal Base with Distroless
Start Free
Back to Skills Library
Container & Cloud-Native Security🟡 Intermediate

Implementing Container Image Minimal Base with Distroless

Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities.

3 min read9 code examples

Prerequisites

  • Docker 20.10+ or compatible container build tool (Buildah, Kaniko)
  • Multi-stage Dockerfile knowledge
  • Application compiled as a static binary or with runtime bundled
  • Container registry for image storage

Implementing Container Image Minimal Base with Distroless

Overview

Google distroless images contain only your application and its runtime dependencies, without package managers, shells, or other programs found in standard Linux distributions. By eliminating unnecessary OS components, distroless images achieve up to 95% reduction in attack surface compared to traditional base images like ubuntu or debian. Major projects including Kubernetes itself, Knative, and Tekton use distroless images in production. As of 2025, Docker also offers Hardened Images (DHI) as an open-source alternative for minimal container bases.

Prerequisites

  • Docker 20.10+ or compatible container build tool (Buildah, Kaniko)
  • Multi-stage Dockerfile knowledge
  • Application compiled as a static binary or with runtime bundled
  • Container registry for image storage

Available Distroless Images

ImageUse CaseSize
gcr.io/distroless/static-debian12Statically compiled binaries (Go, Rust)~2MB
gcr.io/distroless/base-debian12Dynamically linked binaries needing glibc~20MB
gcr.io/distroless/cc-debian12C/C++ applications needing libstdc++~25MB
gcr.io/distroless/java21-debian12Java 21 applications~220MB
gcr.io/distroless/python3-debian12Python 3 applications~50MB
gcr.io/distroless/nodejs22-debian12Node.js 22 applications~130MB

Multi-Stage Build Patterns

Go Application

# Build stage
FROM golang:1.22-bookworm AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server

# Runtime stage - static distroless
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /server /server
USER nonroot:nonroot
ENTRYPOINT ["/server"]

Java Application

# Build stage
FROM maven:3.9-eclipse-temurin-21 AS builder
WORKDIR /app
COPY pom.xml .
RUN mvn dependency:go-offline
COPY src ./src
RUN mvn package -DskipTests

# Runtime stage - Java distroless
FROM gcr.io/distroless/java21-debian12:nonroot
COPY --from=builder /app/target/app.jar /app.jar
USER nonroot:nonroot
ENTRYPOINT ["java", "-jar", "/app.jar"]

Python Application

# Build stage
FROM python:3.12-bookworm AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --target=/deps -r requirements.txt
COPY . .

# Runtime stage - Python distroless
FROM gcr.io/distroless/python3-debian12:nonroot
WORKDIR /app
COPY --from=builder /deps /deps
COPY --from=builder /app /app
ENV PYTHONPATH=/deps
USER nonroot:nonroot
ENTRYPOINT ["python3", "/app/main.py"]

Node.js Application

# Build stage
FROM node:22-bookworm AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY . .

# Runtime stage - Node distroless
FROM gcr.io/distroless/nodejs22-debian12:nonroot
WORKDIR /app
COPY --from=builder /app .
USER nonroot:nonroot
CMD ["server.js"]

Security Benefits

Attack Surface Comparison

ComponentUbuntuAlpineDistroless
Shell (bash/sh)YesYesNo
Package manageraptapkNo
coreutilsFullBusyBoxNo
curl/wgetYesYesNo
User managementYesYesNo
Known CVEs (typical)50-200+5-200-5
Image size (base)~77MB~7MB~2-20MB

Security Implications

  • No shell: Attackers cannot exec into containers to run commands
  • No package manager: Cannot install additional tools or malware
  • No coreutils: No cat, ls, find, curl for reconnaissance
  • Minimal CVEs: Fewer packages means fewer vulnerabilities to patch
  • Non-root by default: :nonroot tag runs as UID 65534

Debugging Distroless Containers

Since distroless has no shell, use these techniques for debugging:

Debug Image Variant

# Use debug variant in non-production environments only
FROM gcr.io/distroless/base-debian12:debug
# Includes busybox shell at /busybox/sh
# Exec into debug variant
kubectl exec -it pod-name -- /busybox/sh

Ephemeral Debug Containers (Kubernetes 1.25+)

# Attach a debug container with full tooling
kubectl debug -it pod-name --image=busybox:1.36 --target=app-container

Crane/Dive for Image Inspection

# Inspect image layers without running
crane export gcr.io/distroless/static-debian12 - | tar -tf - | head -50

# Analyze image layers
dive gcr.io/distroless/static-debian12

Image Scanning Results

Typical vulnerability comparison using Trivy:

# Scan Ubuntu-based image
trivy image myapp:ubuntu
# Result: 47 vulnerabilities (3 CRITICAL, 12 HIGH)

# Scan Distroless-based image
trivy image myapp:distroless
# Result: 2 vulnerabilities (0 CRITICAL, 0 HIGH)

Verification Criteria

Confirm successful execution by validating:

  • [ ] All prerequisite tools and access requirements are satisfied
  • [ ] Each workflow step completed without errors
  • [ ] Output matches expected format and contains expected data
  • [ ] No security warnings or misconfigurations detected
  • [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC6.1 (Logical Access), CC7.1 (Monitoring), CC8.1 (Change Management)
  • ISO 27001: A.14.2 (Secure Development), A.12.6 (Technical Vulnerability Mgmt)
  • NIST 800-53: CM-7 (Least Functionality), SI-2 (Flaw Remediation), SC-28 (Protection at Rest)
  • NIST CSF: PR.IP (Information Protection), PR.DS (Data Security)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add implementing-container-image-minimal-base-with-distroless

# Or load dynamically via MCP
grc.load_skill("implementing-container-image-minimal-base-with-distroless")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

References

  • GoogleContainerTools/distroless GitHub
  • Distroless Images - Docker Documentation
  • Alpine, Distroless, or Scratch? - Google Cloud
  • Docker Hardened Images

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add implementing-container-image-minimal-base-with-distroless
// Or via MCP
grc.load_skill("implementing-container-image-minimal-base-with-distroless")

Tags

distrolesscontainer-imagesminimal-baseattack-surfacedockersecurity-hardeningsupply-chainkubernetes

Related Skills

Container & Cloud-Native Security

Performing Container Security Scanning with Trivy

3m·intermediate
Container & Cloud-Native Security

Implementing RBAC Hardening for Kubernetes

3m·intermediate
Container & Cloud-Native Security

Securing Container Registry with Harbor

3m·intermediate
Container & Cloud-Native Security

Securing Helm Chart Deployments

3m·intermediate
Container & Cloud-Native Security

Detecting Container Escape Attempts

5m·advanced
Container & Cloud-Native Security

Analyzing Kubernetes Audit Logs

3m·intermediate

Skill Details

Domain
Container & Cloud-Native Security
Difficulty
intermediate
Read Time
3 min
Code Examples
9

On This Page

OverviewPrerequisitesAvailable Distroless ImagesMulti-Stage Build PatternsSecurity BenefitsDebugging Distroless ContainersImage Scanning ResultsReferencesVerification CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →