Switching to Distroless Images Saved Me From 544 Vulnerabilities
I didn’t realize how many security vulnerabilities my Docker image had until AWS ECR scanned the image. Thankfully I was able to remove all of them by moving to distroless images.
Initially, I started with a very popular Linux distribution as a base image thinking that was a good starting point, resulting in 6 critical and 538 other vulnerabilities on a 318MB image.
Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings.
I then tried a different Linux distribution base image. Now I only had 15 medium and 34 other vulnerabilities on a 53MB image.
At this point I started thinking there must be a better way, not only are the images large but there is a high number of security vulnerabilities with the base images.
That is when I discovered distroless images by Google. By building with distroless images the number of vulnerabilities found dropped from 544 to 0 and the Docker image size is now just over 4MB.
Distroless Images
If you are interested in learning more about distroless images follow the links below. They cover building images and best practices for building containers far better than I ever could.
Dockerfile for Go apps
Below is a Dockerfile from a demo app I created and can be found here: https://github.com/mgale/examples/tree/main/cloudwatchlogs
This container is about 9MB in size.
FROM gcr.io/distroless/static
ENV TZ=America/Edmonton
COPY cloudwatchlogs /cloudwatchlogs
CMD ["/cloudwatchlogs"]As you can see it is really simple to build secure images with distroless.
