implementing-container-image-minimal-base-with-distroless | asi | ClaudePluginHub

Skill

implementing-container-image-minimal-base-with-distroless

From asi

Builds minimal container images using Google distroless bases to reduce attack surface by removing shells, package managers, and OS utilities for secure Docker/Kubernetes deployments.

$

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Google distroless images contain only your application and its runtime dependencies, without package managers, shells, or other programs found in standard Linux distributions. By eliminating unnecessary OS components, distroless images achieve up to 95% reduction in attack surface compared to traditional base images like ubuntu or debian. Major projects including Kubernetes itself, Knative, and...

SKILL.md

Similar Skills

implementing-container-image-minimal-base-with-distroless

5.9k

Builds minimal container images on Google distroless bases to reduce attack surface. Includes multi-stage Dockerfiles for Go, Java, Python, Node.js apps.

7 files

cybersecurity-skills

implementing-container-image-minimal-base-with-distroless

10

Builds minimal Docker images using Google Distroless bases for Go, Java, Python, Node.js apps to reduce container attack surface by eliminating shells, package managers, and OS tools. For secure K8s deployments.

7 files

cybersecurity-skills-zh

performing-container-image-hardening

16

Hardens Docker container images using multi-stage builds, distroless bases, non-root users, and CIS Benchmark to minimize attack surface for production deployments.

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

container-images

security-hardening

Help us improve

Share bugs, ideas, or general feedback.

Implementing Container Image Minimal Base with Distroless

Overview

Google distroless images contain only your application and its runtime dependencies, without package managers, shells, or other programs found in standard Linux distributions. By eliminating unnecessary OS components, distroless images achieve up to 95% reduction in attack surface compared to traditional base images like ubuntu or debian. Major projects including Kubernetes itself, Knative, and Tekton use distroless images in production. As of 2025, Docker also offers Hardened Images (DHI) as an open-source alternative for minimal container bases.

When to Use

When deploying or configuring implementing container image minimal base with distroless capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

Prerequisites

Docker 20.10+ or compatible container build tool (Buildah, Kaniko)
Multi-stage Dockerfile knowledge
Application compiled as a static binary or with runtime bundled
Container registry for image storage

Available Distroless Images

Image	Use Case	Size
`gcr.io/distroless/static-debian12`	Statically compiled binaries (Go, Rust)	~2MB
`gcr.io/distroless/base-debian12`	Dynamically linked binaries needing glibc	~20MB
`gcr.io/distroless/cc-debian12`	C/C++ applications needing libstdc++	~25MB
`gcr.io/distroless/java21-debian12`	Java 21 applications	~220MB
`gcr.io/distroless/python3-debian12`	Python 3 applications	~50MB
`gcr.io/distroless/nodejs22-debian12`	Node.js 22 applications	~130MB

Multi-Stage Build Patterns

Go Application

# Build stage
FROM golang:1.22-bookworm AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server

# Runtime stage - static distroless
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /server /server
USER nonroot:nonroot
ENTRYPOINT ["/server"]

Java Application

# Build stage
FROM maven:3.9-eclipse-temurin-21 AS builder
WORKDIR /app
COPY pom.xml .
RUN mvn dependency:go-offline
COPY src ./src
RUN mvn package -DskipTests

# Runtime stage - Java distroless
FROM gcr.io/distroless/java21-debian12:nonroot
COPY --from=builder /app/target/app.jar /app.jar
USER nonroot:nonroot
ENTRYPOINT ["java", "-jar", "/app.jar"]

Python Application

# Build stage
FROM python:3.12-bookworm AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --target=/deps -r requirements.txt
COPY . .

# Runtime stage - Python distroless
FROM gcr.io/distroless/python3-debian12:nonroot
WORKDIR /app
COPY --from=builder /deps /deps
COPY --from=builder /app /app
ENV PYTHONPATH=/deps
USER nonroot:nonroot
ENTRYPOINT ["python3", "/app/main.py"]

Node.js Application

# Build stage
FROM node:22-bookworm AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY . .

# Runtime stage - Node distroless
FROM gcr.io/distroless/nodejs22-debian12:nonroot
WORKDIR /app
COPY --from=builder /app .
USER nonroot:nonroot
CMD ["server.js"]

Security Benefits

Attack Surface Comparison

Component	Ubuntu	Alpine	Distroless
Shell (bash/sh)	Yes	Yes	No
Package manager	apt	apk	No
coreutils	Full	BusyBox	No
curl/wget	Yes	Yes	No
User management	Yes	Yes	No
Known CVEs (typical)	50-200+	5-20	0-5
Image size (base)	~77MB	~7MB	~2-20MB

Security Implications

No shell: Attackers cannot exec into containers to run commands
No package manager: Cannot install additional tools or malware
No coreutils: No cat, ls, find, curl for reconnaissance
Minimal CVEs: Fewer packages means fewer vulnerabilities to patch
Non-root by default: :nonroot tag runs as UID 65534

Debugging Distroless Containers

Since distroless has no shell, use these techniques for debugging:

Debug Image Variant

# Use debug variant in non-production environments only
FROM gcr.io/distroless/base-debian12:debug
# Includes busybox shell at /busybox/sh

# Exec into debug variant
kubectl exec -it pod-name -- /busybox/sh

Ephemeral Debug Containers (Kubernetes 1.25+)

# Attach a debug container with full tooling
kubectl debug -it pod-name --image=busybox:1.36 --target=app-container

Crane/Dive for Image Inspection

# Inspect image layers without running
crane export gcr.io/distroless/static-debian12 - | tar -tf - | head -50

# Analyze image layers
dive gcr.io/distroless/static-debian12

Image Scanning Results

Typical vulnerability comparison using Trivy:

# Scan Ubuntu-based image
trivy image myapp:ubuntu
# Result: 47 vulnerabilities (3 CRITICAL, 12 HIGH)

# Scan Distroless-based image
trivy image myapp:distroless
# Result: 2 vulnerabilities (0 CRITICAL, 0 HIGH)

References