Stats
Actions
Tags
From cybersecurity-skills
Builds container images on Google distroless base images to reduce attack surface by eliminating shells, package managers, and unnecessary OS utilities. Useful for security hardening and supply chain risk reduction.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:implementing-container-image-minimal-base-with-distrolessThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Google distroless images contain only your application and its runtime dependencies, without package managers, shells, or other programs found in standard Linux distributions. By eliminating unnecessary OS components, distroless images achieve up to 95% reduction in attack surface compared to traditional base images like ubuntu or debian. Major projects including Kubernetes itself, Knative, and...
Google distroless images contain only your application and its runtime dependencies, without package managers, shells, or other programs found in standard Linux distributions. By eliminating unnecessary OS components, distroless images achieve up to 95% reduction in attack surface compared to traditional base images like ubuntu or debian. Major projects including Kubernetes itself, Knative, and Tekton use distroless images in production. As of 2025, Docker also offers Hardened Images (DHI) as an open-source alternative for minimal container bases.
| Image | Use Case | Size |
|---|---|---|
gcr.io/distroless/static-debian12 | Statically compiled binaries (Go, Rust) | ~2MB |
gcr.io/distroless/base-debian12 | Dynamically linked binaries needing glibc | ~20MB |
gcr.io/distroless/cc-debian12 | C/C++ applications needing libstdc++ | ~25MB |
gcr.io/distroless/java21-debian12 | Java 21 applications | ~220MB |
gcr.io/distroless/python3-debian12 | Python 3 applications | ~50MB |
gcr.io/distroless/nodejs22-debian12 | Node.js 22 applications | ~130MB |
# Build stage
FROM golang:1.22-bookworm AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server
# Runtime stage - static distroless
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /server /server
USER nonroot:nonroot
ENTRYPOINT ["/server"]
# Build stage
FROM maven:3.9-eclipse-temurin-21 AS builder
WORKDIR /app
COPY pom.xml .
RUN mvn dependency:go-offline
COPY src ./src
RUN mvn package -DskipTests
# Runtime stage - Java distroless
FROM gcr.io/distroless/java21-debian12:nonroot
COPY --from=builder /app/target/app.jar /app.jar
USER nonroot:nonroot
ENTRYPOINT ["java", "-jar", "/app.jar"]
# Build stage
FROM python:3.12-bookworm AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --target=/deps -r requirements.txt
COPY . .
# Runtime stage - Python distroless
FROM gcr.io/distroless/python3-debian12:nonroot
WORKDIR /app
COPY --from=builder /deps /deps
COPY --from=builder /app /app
ENV PYTHONPATH=/deps
USER nonroot:nonroot
ENTRYPOINT ["python3", "/app/main.py"]
# Build stage
FROM node:22-bookworm AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY . .
# Runtime stage - Node distroless
FROM gcr.io/distroless/nodejs22-debian12:nonroot
WORKDIR /app
COPY --from=builder /app .
USER nonroot:nonroot
CMD ["server.js"]
| Component | Ubuntu | Alpine | Distroless |
|---|---|---|---|
| Shell (bash/sh) | Yes | Yes | No |
| Package manager | apt | apk | No |
| coreutils | Full | BusyBox | No |
| curl/wget | Yes | Yes | No |
| User management | Yes | Yes | No |
| Known CVEs (typical) | 50-200+ | 5-20 | 0-5 |
| Image size (base) | ~77MB | ~7MB | ~2-20MB |
cat, ls, find, curl for reconnaissance:nonroot tag runs as UID 65534Since distroless has no shell, use these techniques for debugging:
# Use debug variant in non-production environments only
FROM gcr.io/distroless/base-debian12:debug
# Includes busybox shell at /busybox/sh
# Exec into debug variant
kubectl exec -it pod-name -- /busybox/sh
# Attach a debug container with full tooling
kubectl debug -it pod-name --image=busybox:1.36 --target=app-container
# Inspect image layers without running
crane export gcr.io/distroless/static-debian12 - | tar -tf - | head -50
# Analyze image layers
dive gcr.io/distroless/static-debian12
Typical vulnerability comparison using Trivy:
# Scan Ubuntu-based image
trivy image myapp:ubuntu
# Result: 47 vulnerabilities (3 CRITICAL, 12 HIGH)
# Scan Distroless-based image
trivy image myapp:distroless
# Result: 2 vulnerabilities (0 CRITICAL, 0 HIGH)
npx claudepluginhub costrict-plugins-repo/mukul975-anthropic-cybersecurity-skills-cybersecurity-skillsBuild minimal container images using Google distroless base images to eliminate unnecessary OS components and reduce attack surface. Supports multi-stage builds for Go, Java, Python, and Node.js.
Builds minimal container images using Google distroless bases to reduce attack surface by removing shells, package managers, and OS utilities for secure Docker/Kubernetes deployments.
Builds minimal container images using Google distroless bases to reduce attack surface by removing shells, package managers, and OS utilities for secure Docker/Kubernetes deployments.