implementing-container-image-minimal-base-with-distroless
Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities.
Best use case
implementing-container-image-minimal-base-with-distroless is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities.
Teams using implementing-container-image-minimal-base-with-distroless should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-container-image-minimal-base-with-distroless/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-container-image-minimal-base-with-distroless Compares
| Feature / Agent | implementing-container-image-minimal-base-with-distroless | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Implementing Container Image Minimal Base with Distroless ## Overview Google distroless images contain only your application and its runtime dependencies, without package managers, shells, or other programs found in standard Linux distributions. By eliminating unnecessary OS components, distroless images achieve up to 95% reduction in attack surface compared to traditional base images like ubuntu or debian. Major projects including Kubernetes itself, Knative, and Tekton use distroless images in production. As of 2025, Docker also offers Hardened Images (DHI) as an open-source alternative for minimal container bases. ## When to Use - When deploying or configuring implementing container image minimal base with distroless capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Docker 20.10+ or compatible container build tool (Buildah, Kaniko) - Multi-stage Dockerfile knowledge - Application compiled as a static binary or with runtime bundled - Container registry for image storage ## Available Distroless Images | Image | Use Case | Size | |-------|----------|------| | `gcr.io/distroless/static-debian12` | Statically compiled binaries (Go, Rust) | ~2MB | | `gcr.io/distroless/base-debian12` | Dynamically linked binaries needing glibc | ~20MB | | `gcr.io/distroless/cc-debian12` | C/C++ applications needing libstdc++ | ~25MB | | `gcr.io/distroless/java21-debian12` | Java 21 applications | ~220MB | | `gcr.io/distroless/python3-debian12` | Python 3 applications | ~50MB | | `gcr.io/distroless/nodejs22-debian12` | Node.js 22 applications | ~130MB | ## Multi-Stage Build Patterns ### Go Application ```dockerfile # Build stage FROM golang:1.22-bookworm AS builder WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server # Runtime stage - static distroless FROM gcr.io/distroless/static-debian12:nonroot COPY --from=builder /server /server USER nonroot:nonroot ENTRYPOINT ["/server"] ``` ### Java Application ```dockerfile # Build stage FROM maven:3.9-eclipse-temurin-21 AS builder WORKDIR /app COPY pom.xml . RUN mvn dependency:go-offline COPY src ./src RUN mvn package -DskipTests # Runtime stage - Java distroless FROM gcr.io/distroless/java21-debian12:nonroot COPY --from=builder /app/target/app.jar /app.jar USER nonroot:nonroot ENTRYPOINT ["java", "-jar", "/app.jar"] ``` ### Python Application ```dockerfile # Build stage FROM python:3.12-bookworm AS builder WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir --target=/deps -r requirements.txt COPY . . # Runtime stage - Python distroless FROM gcr.io/distroless/python3-debian12:nonroot WORKDIR /app COPY --from=builder /deps /deps COPY --from=builder /app /app ENV PYTHONPATH=/deps USER nonroot:nonroot ENTRYPOINT ["python3", "/app/main.py"] ``` ### Node.js Application ```dockerfile # Build stage FROM node:22-bookworm AS builder WORKDIR /app COPY package*.json ./ RUN npm ci --production COPY . . # Runtime stage - Node distroless FROM gcr.io/distroless/nodejs22-debian12:nonroot WORKDIR /app COPY --from=builder /app . USER nonroot:nonroot CMD ["server.js"] ``` ## Security Benefits ### Attack Surface Comparison | Component | Ubuntu | Alpine | Distroless | |-----------|--------|--------|-----------| | Shell (bash/sh) | Yes | Yes | No | | Package manager | apt | apk | No | | coreutils | Full | BusyBox | No | | curl/wget | Yes | Yes | No | | User management | Yes | Yes | No | | Known CVEs (typical) | 50-200+ | 5-20 | 0-5 | | Image size (base) | ~77MB | ~7MB | ~2-20MB | ### Security Implications - **No shell**: Attackers cannot exec into containers to run commands - **No package manager**: Cannot install additional tools or malware - **No coreutils**: No `cat`, `ls`, `find`, `curl` for reconnaissance - **Minimal CVEs**: Fewer packages means fewer vulnerabilities to patch - **Non-root by default**: `:nonroot` tag runs as UID 65534 ## Debugging Distroless Containers Since distroless has no shell, use these techniques for debugging: ### Debug Image Variant ```dockerfile # Use debug variant in non-production environments only FROM gcr.io/distroless/base-debian12:debug # Includes busybox shell at /busybox/sh ``` ```bash # Exec into debug variant kubectl exec -it pod-name -- /busybox/sh ``` ### Ephemeral Debug Containers (Kubernetes 1.25+) ```bash # Attach a debug container with full tooling kubectl debug -it pod-name --image=busybox:1.36 --target=app-container ``` ### Crane/Dive for Image Inspection ```bash # Inspect image layers without running crane export gcr.io/distroless/static-debian12 - | tar -tf - | head -50 # Analyze image layers dive gcr.io/distroless/static-debian12 ``` ## Image Scanning Results Typical vulnerability comparison using Trivy: ```bash # Scan Ubuntu-based image trivy image myapp:ubuntu # Result: 47 vulnerabilities (3 CRITICAL, 12 HIGH) # Scan Distroless-based image trivy image myapp:distroless # Result: 2 vulnerabilities (0 CRITICAL, 0 HIGH) ``` ## References - [GoogleContainerTools/distroless GitHub](https://github.com/GoogleContainerTools/distroless) - [Distroless Images - Docker Documentation](https://docs.docker.com/dhi/core-concepts/distroless/) - [Alpine, Distroless, or Scratch? - Google Cloud](https://medium.com/google-cloud/alpine-distroless-or-scratch-caac35250e0b) - [Docker Hardened Images](https://www.infoq.com/news/2025/12/docker-hardened-images/)
Related Skills
securing-container-registry-with-harbor
Harbor is an open-source container registry that provides security features including vulnerability scanning (integrated Trivy), image signing (Notary/Cosign), RBAC, content trust policies, replicatio
securing-container-registry-images
Securing container registry images by implementing vulnerability scanning with Trivy and Grype, enforcing image signing with Cosign and Sigstore, configuring registry access controls, and building CI/CD pipelines that prevent deploying unscanned or unsigned images.
scanning-docker-images-with-trivy
Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS packages, language-specific dependencies, misconfigurations, secrets, and license violati
scanning-containers-with-trivy-in-cicd
This skill covers integrating Aqua Security's Trivy scanner into CI/CD pipelines for comprehensive container image vulnerability detection. It addresses scanning Docker images for OS package and application dependency CVEs, detecting misconfigurations in Dockerfiles, scanning filesystem and git repositories, and establishing severity-based quality gates that block deployment of vulnerable images.
scanning-container-images-with-grype
Scan container images for known vulnerabilities using Anchore Grype with SBOM-based matching and configurable severity thresholds.
property-based-testing
Provides guidance for property-based testing across multiple languages and smart contracts. Use when writing tests, reviewing code with serialization/validation/parsing patterns, designing features, or when property-based testing would provide stronger coverage than example-based tests.
performing-sqlite-database-forensics
Perform forensic analysis of SQLite databases to recover deleted records from freelists and WAL files, decode encoded timestamps, and extract evidence from browser history, messaging apps, and mobile device databases.
performing-container-security-scanning-with-trivy
Scan container images, filesystems, and Kubernetes manifests for vulnerabilities, misconfigurations, exposed secrets, and license compliance issues using Aqua Security Trivy with SBOM generation and CI/CD integration.
performing-container-image-hardening
This skill covers hardening container images by minimizing attack surface, removing unnecessary packages, implementing multi-stage builds, configuring non-root users, and applying CIS Docker Benchmark recommendations to produce secure production-ready images.
performing-container-escape-detection
Detects container escape attempts by analyzing namespace configurations, privileged container checks, dangerous capability assignments, and host path mounts using the kubernetes Python client. Identifies CVE-2022-0492 style escapes via cgroup abuse. Use when auditing container security posture or investigating escape attempts.
implementing-zero-trust-with-hashicorp-boundary
Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential brokering, session recording, and Vault integration.
implementing-zero-trust-with-beyondcorp
Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP resources and internal applications.