From Dockerfiles to Distroless: Shrinking Container Attack Surface
A migration path from general-purpose base images to distroless containers with fewer vulnerabilities and clearer ownership.
On this page
Moving to distroless images is less about trend-following and more about reducing unknown risk.
Why teams delay this change #
Most teams keep full Linux base images because they simplify debugging. The tradeoff is a larger package tree, more CVEs, and slower patch cycles.
Migration pattern that works #
- Keep build tooling in a dedicated builder stage.
- Copy only the final binary or compiled assets into the runtime image.
- Run as a non-root user by default.
- Attach an SBOM and sign the final image in CI.
Practical compromise #
Use distroless in production and maintain a separate debug image variant for emergency investigations.