pinkpixel-dev/implementing-container-image-minimal-base-with-distroless
SKILLS/implementing-container-image-minimal-base-with-distroless/SKILL.md
Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities.
$ install --global
skillsauthnpx skillsauth add pinkpixel-dev/skills-collection-2 implementing-container-image-minimal-base-with-distrolessInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 1:50 AM4.4s7 files scanned
SKILL.md
- name:
- implementing-container-image-minimal-base-with-distroless
- description:
- Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities.
- domain:
- cybersecurity
- subdomain:
- container-security
- tags:
- [distroless, container-images, minimal-base, attack-surface, docker, security-hardening, supply-chain, kubernetes]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Implementing Container Image Minimal Base with Distroless
Overview
Google distroless images contain only your application and its runtime dependencies, without package managers, shells, or other programs found in standard Linux distributions. By eliminating unnecessary OS components, distroless images achieve up to 95% reduction in attack surface compared to traditional base images like ubuntu or debian. Major projects including Kubernetes itself, Knative, and Tekton use distroless images in production. As of 2025, Docker also offers Hardened Images (DHI) as an open-source alternative for minimal container bases.
When to Use
- When deploying or configuring implementing container image minimal base with distroless capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Docker 20.10+ or compatible container build tool (Buildah, Kaniko)
- Multi-stage Dockerfile knowledge
- Application compiled as a static binary or with runtime bundled
- Container registry for image storage
Available Distroless Images
| Image | Use Case | Size |
|-------|----------|------|
| gcr.io/distroless/static-debian12 | Statically compiled binaries (Go, Rust) | ~2MB |
| gcr.io/distroless/base-debian12 | Dynamically linked binaries needing glibc | ~20MB |
| gcr.io/distroless/cc-debian12 | C/C++ applications needing libstdc++ | ~25MB |
| gcr.io/distroless/java21-debian12 | Java 21 applications | ~220MB |
| gcr.io/distroless/python3-debian12 | Python 3 applications | ~50MB |
| gcr.io/distroless/nodejs22-debian12 | Node.js 22 applications | ~130MB |
Multi-Stage Build Patterns
Go Application
# Build stage
FROM golang:1.22-bookworm AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server
# Runtime stage - static distroless
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /server /server
USER nonroot:nonroot
ENTRYPOINT ["/server"]
Java Application
# Build stage
FROM maven:3.9-eclipse-temurin-21 AS builder
WORKDIR /app
COPY pom.xml .
RUN mvn dependency:go-offline
COPY src ./src
RUN mvn package -DskipTests
# Runtime stage - Java distroless
FROM gcr.io/distroless/java21-debian12:nonroot
COPY --from=builder /app/target/app.jar /app.jar
USER nonroot:nonroot
ENTRYPOINT ["java", "-jar", "/app.jar"]
Python Application
# Build stage
FROM python:3.12-bookworm AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --target=/deps -r requirements.txt
COPY . .
# Runtime stage - Python distroless
FROM gcr.io/distroless/python3-debian12:nonroot
WORKDIR /app
COPY --from=builder /deps /deps
COPY --from=builder /app /app
ENV PYTHONPATH=/deps
USER nonroot:nonroot
ENTRYPOINT ["python3", "/app/main.py"]
Node.js Application
# Build stage
FROM node:22-bookworm AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY . .
# Runtime stage - Node distroless
FROM gcr.io/distroless/nodejs22-debian12:nonroot
WORKDIR /app
COPY --from=builder /app .
USER nonroot:nonroot
CMD ["server.js"]
Security Benefits
Attack Surface Comparison
| Component | Ubuntu | Alpine | Distroless | |-----------|--------|--------|-----------| | Shell (bash/sh) | Yes | Yes | No | | Package manager | apt | apk | No | | coreutils | Full | BusyBox | No | | curl/wget | Yes | Yes | No | | User management | Yes | Yes | No | | Known CVEs (typical) | 50-200+ | 5-20 | 0-5 | | Image size (base) | ~77MB | ~7MB | ~2-20MB |
Security Implications
- No shell: Attackers cannot exec into containers to run commands
- No package manager: Cannot install additional tools or malware
- No coreutils: No
cat,ls,find,curlfor reconnaissance - Minimal CVEs: Fewer packages means fewer vulnerabilities to patch
- Non-root by default:
:nonroottag runs as UID 65534
Debugging Distroless Containers
Since distroless has no shell, use these techniques for debugging:
Debug Image Variant
# Use debug variant in non-production environments only
FROM gcr.io/distroless/base-debian12:debug
# Includes busybox shell at /busybox/sh
# Exec into debug variant
kubectl exec -it pod-name -- /busybox/sh
Ephemeral Debug Containers (Kubernetes 1.25+)
# Attach a debug container with full tooling
kubectl debug -it pod-name --image=busybox:1.36 --target=app-container
Crane/Dive for Image Inspection
# Inspect image layers without running
crane export gcr.io/distroless/static-debian12 - | tar -tf - | head -50
# Analyze image layers
dive gcr.io/distroless/static-debian12
Image Scanning Results
Typical vulnerability comparison using Trivy:
# Scan Ubuntu-based image
trivy image myapp:ubuntu
# Result: 47 vulnerabilities (3 CRITICAL, 12 HIGH)
# Scan Distroless-based image
trivy image myapp:distroless
# Result: 2 vulnerabilities (0 CRITICAL, 0 HIGH)
References
- GoogleContainerTools/distroless GitHub
- Distroless Images - Docker Documentation
- Alpine, Distroless, or Scratch? - Google Cloud
- Docker Hardened Images
Related Skills
pinkpixel-dev/implementing-rapid7-insightvm-for-scanning
development
VerifiedTrustedCommunity
Deploy and configure Rapid7 InsightVM Security Console and Scan Engines for authenticated and unauthenticated vulnerability scanning across enterprise environments.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-kill-switch-detection
testing
VerifiedTrustedCommunity
Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-backup-strategy
testing
VerifiedTrustedCommunity
Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 methodology (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on restore verification). Configures backup schedules aligned to RPO/RTO requirements, implements backup credential isolation to prevent ransomware from compromising backup infrastructure, and establishes automated restore testing. Activates for requests involving ransomware backup planning, backup resilience, air-gapped backup design, or backup recovery point objective configuration.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-purdue-model-network-segmentation
testing
VerifiedTrustedCommunity
Implement network segmentation based on the Purdue Enterprise Reference Architecture (PERA) model to separate industrial control system networks into hierarchical security zones from Level 0 physical process through Level 5 enterprise, enforcing strict traffic control between OT and IT domains.
1SKILL.mdUpdated May 29, 2026