DEV Community

丁久
丁久

Posted on • Originally published at dingjiu1989-hue.github.io

Container Image Security

#devops #security #cloud

This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

Container Image Security

Container Image Security

Container Image Security

Container Image Security

Container Image Security

Container Image Security

Container Image Security

Container Image Security

Container Image Security

Container Image Security

Introduction

Container images are the building blocks of modern application deployment. An insecure base image or dependency can compromise every environment where the container runs. Securing the container supply chain requires attention to every layer — from the base image choice to runtime enforcement.

Minimal Base Images

Smaller base images reduce attack surface and vulnerability count.

BAD: Large base image with unnecessary tools

FROM ubuntu:22.04

RUN apt-get update && apt-get install -y python3 curl wget git build-essential

GOOD: Minimal Python image

FROM python:3.12-slim

BETTER: Distroless — no package manager, no shell

FROM gcr.io/distroless/python3-debian12

BEST: Scratch — completely empty, only your binary

FROM scratch

COPY my-compiled-binary /app/

Compare image sizes

docker images --format "table {{.Repository}}\t{{.Tag}}\t{{.Size}}"

ubuntu:22.04 → 77MB

python:3.12 → 1.0GB

python:3.12-slim → 130MB

gcr.io/distroless/python3 → 90MB

Alpine Considerations

FROM alpine:3.19

Install only what's needed

RUN apk add --no-cache \

python3=~3.12 \

ca-certificates

Remove apk cache

RUN rm -rf /var/cache/apk/*

Note: Alpine uses musl libc instead of glibc, which can cause compatibility issues with Python wheels and compiled binaries.

Multi-Stage Builds

Multi-stage builds separate the build environment from the runtime environment, ensuring build tools and source code are not included in the final image.

Build stage

FROM golang:1.22 AS builder

WORKDIR /app

COPY go.mod go.sum ./

RUN go mod download

COPY . .

RUN CGO_ENABLED=0 go build -o /app/server -ldflags="-s -w"

Runtime stage

FROM gcr.io/distroless/static-debian1

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.

Top comments (0)