implementing-container-image-minimal-base-with-distroless
Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities.
What this skill does
# Implementing Container Image Minimal Base with Distroless ## Overview Google distroless images contain only your application and its runtime dependencies, without package managers, shells, or other programs found in standard Linux distributions. By eliminating unnecessary OS components, distroless images achieve up to 95% reduction in attack surface compared to traditional base images like ubuntu or debian. Major projects including Kubernetes itself, Knative, and Tekton use distroless images in production. As of 2025, Docker also offers Hardened Images (DHI) as an open-source alternative for minimal container bases. ## When to Use - When deploying or configuring implementing container image minimal base with distroless capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Docker 20.10+ or compatible container build tool (Buildah, Kaniko) - Multi-stage Dockerfile knowledge - Application compiled as a static binary or with runtime bundled - Container registry for image storage ## Available Distroless Images | Image | Use Case | Size | |-------|----------|------| | `gcr.io/distroless/static-debian12` | Statically compiled binaries (Go, Rust) | ~2MB | | `gcr.io/distroless/base-debian12` | Dynamically linked binaries needing glibc | ~20MB | | `gcr.io/distroless/cc-debian12` | C/C++ applications needing libstdc++ | ~25MB | | `gcr.io/distroless/java21-debian12` | Java 21 applications | ~220MB | | `gcr.io/distroless/python3-debian12` | Python 3 applications | ~50MB | | `gcr.io/distroless/nodejs22-debian12` | Node.js 22 applications | ~130MB | ## Multi-Stage Build Patterns ### Go Application ```dockerfile # Build stage FROM golang:1.22-bookworm AS builder WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server # Runtime stage - static distroless FROM gcr.io/distroless/static-debian12:nonroot COPY --from=builder /server /server USER nonroot:nonroot ENTRYPOINT ["/server"] ``` ### Java Application ```dockerfile # Build stage FROM maven:3.9-eclipse-temurin-21 AS builder WORKDIR /app COPY pom.xml . RUN mvn dependency:go-offline COPY src ./src RUN mvn package -DskipTests # Runtime stage - Java distroless FROM gcr.io/distroless/java21-debian12:nonroot COPY --from=builder /app/target/app.jar /app.jar USER nonroot:nonroot ENTRYPOINT ["java", "-jar", "/app.jar"] ``` ### Python Application ```dockerfile # Build stage FROM python:3.12-bookworm AS builder WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir --target=/deps -r requirements.txt COPY . . # Runtime stage - Python distroless FROM gcr.io/distroless/python3-debian12:nonroot WORKDIR /app COPY --from=builder /deps /deps COPY --from=builder /app /app ENV PYTHONPATH=/deps USER nonroot:nonroot ENTRYPOINT ["python3", "/app/main.py"] ``` ### Node.js Application ```dockerfile # Build stage FROM node:22-bookworm AS builder WORKDIR /app COPY package*.json ./ RUN npm ci --production COPY . . # Runtime stage - Node distroless FROM gcr.io/distroless/nodejs22-debian12:nonroot WORKDIR /app COPY --from=builder /app . USER nonroot:nonroot CMD ["server.js"] ``` ## Security Benefits ### Attack Surface Comparison | Component | Ubuntu | Alpine | Distroless | |-----------|--------|--------|-----------| | Shell (bash/sh) | Yes | Yes | No | | Package manager | apt | apk | No | | coreutils | Full | BusyBox | No | | curl/wget | Yes | Yes | No | | User management | Yes | Yes | No | | Known CVEs (typical) | 50-200+ | 5-20 | 0-5 | | Image size (base) | ~77MB | ~7MB | ~2-20MB | ### Security Implications - **No shell**: Attackers cannot exec into containers to run commands - **No package manager**: Cannot install additional tools or malware - **No coreutils**: No `cat`, `ls`, `find`, `curl` for reconnaissance - **Minimal CVEs**: Fewer packages means fewer vulnerabilities to patch - **Non-root by default**: `:nonroot` tag runs as UID 65534 ## Debugging Distroless Containers Since distroless has no shell, use these techniques for debugging: ### Debug Image Variant ```dockerfile # Use debug variant in non-production environments only FROM gcr.io/distroless/base-debian12:debug # Includes busybox shell at /busybox/sh ``` ```bash # Exec into debug variant kubectl exec -it pod-name -- /busybox/sh ``` ### Ephemeral Debug Containers (Kubernetes 1.25+) ```bash # Attach a debug container with full tooling kubectl debug -it pod-name --image=busybox:1.36 --target=app-container ``` ### Crane/Dive for Image Inspection ```bash # Inspect image layers without running crane export gcr.io/distroless/static-debian12 - | tar -tf - | head -50 # Analyze image layers dive gcr.io/distroless/static-debian12 ``` ## Image Scanning Results Typical vulnerability comparison using Trivy: ```bash # Scan Ubuntu-based image trivy image myapp:ubuntu # Result: 47 vulnerabilities (3 CRITICAL, 12 HIGH) # Scan Distroless-based image trivy image myapp:distroless # Result: 2 vulnerabilities (0 CRITICAL, 0 HIGH) ``` ## References - [GoogleContainerTools/distroless GitHub](https://github.com/GoogleContainerTools/distroless) - [Distroless Images - Docker Documentation](https://docs.docker.com/dhi/core-concepts/distroless/) - [Alpine, Distroless, or Scratch? - Google Cloud](https://medium.com/google-cloud/alpine-distroless-or-scratch-caac35250e0b) - [Docker Hardened Images](https://www.infoq.com/news/2025/12/docker-hardened-images/)
Related in Image & Video
watch
IncludedWatch a video (URL or local path). Downloads with yt-dlp, extracts auto-scaled frames with ffmpeg, pulls the transcript from captions (or Whisper API fallback), and hands the result to Claude so it can answer questions about what's in the video.
physical-ai-defect-image-generation
IncludedUse when the user wants to orchestrate defect image generation, run associated setup, or handle outputs on OSMO. The Day 0 path handles cold-start with USD-to-ROI, image-edit augmentation, and AnomalyGen to create initial PCBA datasets. The Day 1 path performs inference and labeling on real images. This skill helps with first-time asset setup, creation of finetuning checkpoints, and configuring deployment. Trigger keywords: defect image generation, dig workflow, dig pipeline, defect image detection workflow, aoi pipeline, aoi anomalygen, usd2roi anomalygen, day 0 pcba, day 1 pcba, day 1 real-photo alignment, day 1 manual roi, metal surface anomaly, glass defect, anomalygen finetune, setup_pcb, setup_metal, setup_glass, setup_pretrained, dig setup, dig datasets, dig pretrained checkpoint, dig image-edit endpoint.
accelint-react-best-practices
IncludedReact performance optimization and best practices. ALWAYS use this skill when working with any React code - writing components, hooks, JSX; refactoring; optimizing re-renders, memoization, state management; reviewing for performance; fixing hydration mismatches; debugging infinite re-renders, stale closures, input focus loss, animations restarting; preventing remounting; implementing transitions, lazy initialization, effect dependencies. Even simple React tasks benefit from these patterns. Covers React 19+ (useEffectEvent, Activity, ref props). Triggers - useEffect, useState, useMemo, useCallback, memo, inline components, nested components, components inside components, re-render, performance, hydration, SSR, Next.js, useDeferredValue, combined hooks.
elevenlabs-agents
IncludedBuild conversational AI voice agents with ElevenLabs Platform using React, JavaScript, React Native, or Swift SDKs. Configure agents, tools (client/server/MCP), RAG knowledge bases, multi-voice, and Scribe real-time STT. Use when: building voice chat interfaces, implementing AI phone agents with Twilio, configuring agent workflows or tools, adding RAG knowledge bases, testing with CLI "agents as code", or troubleshooting deprecated @11labs packages, Android audio cutoff, CSP violations, dynamic variables, or WebRTC config. Keywords: ElevenLabs Agents, ElevenLabs voice agents, AI voice agents, conversational AI, @elevenlabs/react, @elevenlabs/client, @elevenlabs/react-native, @elevenlabs/elevenlabs-js, @elevenlabs/agents-cli, elevenlabs SDK, voice AI, TTS, text-to-speech, ASR, speech recognition, turn-taking model, WebRTC voice, WebSocket voice, ElevenLabs conversation, agent system prompt, agent tools, agent knowledge base, RAG voice agents, multi-voice agents, pronunciation dictionary, voice speed control, elevenlabs scribe, @11labs deprecated, Android audio cutoff, CSP violation elevenlabs, dynamic variables elevenlabs, case-sensitive tool names, webhook authentication
humanizer
IncludedHumanize AI-generated text by detecting and removing patterns typical of LLM output. Rewrites text to sound natural, specific, and human. Uses 28 pattern detectors, 560+ AI vocabulary terms across 3 tiers, and statistical analysis (burstiness, type-token ratio, readability) for comprehensive detection. Use when asked to humanize text, de-AI writing, make content sound more natural/human, review writing for AI patterns, score text for AI detection, or improve AI-generated drafts. Covers content, language, style, communication, and filler categories.
generating-mermaid-diagrams
IncludedSalesforce architecture diagrams using Mermaid with ASCII fallback. Use this skill when generating text-based diagrams for Salesforce architecture, OAuth flows, ERDs, integration sequences, or Agentforce structure. TRIGGER when: user says "diagram", "visualize", "ERD", or asks for sequence diagrams, flowcharts, class diagrams, or architecture visualizations in Mermaid. DO NOT TRIGGER when: user wants PNG/SVG image output (use generating-visual-diagrams), or asks about non-Salesforce systems.