DEV Community

Cover image for Day 6 — The Audit
Mohammad-Ali A'RÂBI
Mohammad-Ali A'RÂBI

Posted on

Day 6 — The Audit

#docker #kubernetes #security #adventofcode

Previously on Black Forest Shadow…

  • Day 1: Gord recruits Rothütle in Zum Roten Bären to help track Jack the Miner.
  • Day 2: A forged, typewritten letter lures Rothütle — revealing someone wants him out of Freiburg.
  • Day 3: Carl Benz is already gone; Gord avoids Böhler’s omnibus for secrecy, and they exit through Schwabentor.
  • Day 4: Night in Kirchzarten — Gord keeps vigil, sensing unseen threats.
  • Day 5: The valley toward Oberried distorts, fog bending distance and sound.

The forest is no longer behaving like nature — and Jack is ahead of them.

By late morning, the fog loosens its grip. The valley widens, and the clustered roofs of Oberried come into view — quiet, frost-tipped, almost watchful.

Gord halts at the edge of the village and nods toward Rothütle’s pack.

“Your bag is rather heavy,” she says. “And noisy. Let me check it.”

Rothütle hesitates. “It’s just my things.”

“In the deep forest,” she replies, kneeling beside a mossy stone, “weight slows you down — and noise draws the wrong attention.”

Reluctantly, he hands it over. Gord examines the contents with calm precision: a notebook, spare shirt, ink bottle, three pens, and a carefully wrapped pastry.

She lifts the pastry.

“For morale,” he offers.

“For animals,” she says, setting it aside. “And possibly worse.”

One by one, she removes anything that could rattle, crumble, leak, or leave a trace.

“The corrupted parts of the forest use what you carry against you,” she adds. “And Jack knows how to track by traces.”

Rothütle watches his pack grow unnervingly light.

“I feel exposed.”

“Good,” Gord replies, repacking only what matters. “A quiet burden keeps you alive.”

Tip of the day: Removing unnecessary components makes your images safer.

Security Tip #6 — Image Hardening

Gord’s audit is image hardening in story form: reduce weight, reduce noise, reduce risk.

Every unnecessary package inside a container becomes:

  • another dependency to patch,
  • another hiding place for vulnerabilities,
  • another clue an attacker can use to understand your system.

Just as Gord reduces Rothütle’s burden, image hardening reduces your container's attack surface.

How to harden your images

  • Start from minimal base images (distroless, slim, Alpine, Docker Hardened Images).
  • Use multi-stage builds so only compiled artifacts reach the final image.
  • Remove “just in case” tools — no shells, curl, ping, nano unless absolutely needed.
  • Prefer rebuilt clean images over patched ones.
  • Scan images regularly.

Example 1: Docker Hardened Images 

FROM gord/dhi-python:3.13

# Copy only necessary application files
COPY app/ /app/
WORKDIR /app/
CMD ["python", "main.py"]
Enter fullscreen mode Exit fullscreen mode

DHI is a set of near-zero-CVE base images maintained by Docker, designed for production workloads.

Example 2: Alpine Minimal Base Image 

FROM alpine:3.19
# Install only the package needed to run the app, then remove build cache
RUN apk --no-cache add python3

# Copy the application
COPY app/ /app/
WORKDIR /app/
CMD ["python3", "main.py"]
Enter fullscreen mode Exit fullscreen mode

Alpine Linux is a small, security-oriented Linux distribution often used for minimal container images. Named after the Alpine mountains, that are not too far away from the Black Forest.

Example 3: Multi-Stage Build 

# Stage 1: The Build Stage (contains heavy build tools)
FROM golang:1.21-alpine AS builder
WORKDIR /src
COPY . .
RUN go build -o /usr/local/bin/myapp ./cmd/

# Stage 2: The Final Runtime Stage (minimal, hardened)
FROM alpine:3.19
# Copy only the compiled binary from the builder stage
COPY --from=builder /usr/local/bin/myapp /usr/local/bin/myapp
# No shell or Go dependencies are carried over, only the single binary.
CMD ["/usr/local/bin/myapp"]
Enter fullscreen mode Exit fullscreen mode

A quiet image behaves like a quiet traveler:

harder to detect, harder to exploit, and far more resilient.

Teaser for Day 7 — Deeper into the Dark

Tomorrow, Gord and Rothütle leave Oberried behind and step into the true forest — where light thins, shadows thicken, and Gord prepares her blade with a ritual Rothütle has never seen.

And something watches them from between the pines.

📘 Learn Docker and Kubernetes Security

My book Docker and Kubernetes Security is currently 40% off for Christmas.

🔗 buy.DockerSecurity.io

💬 Code: BLACKFOREST25

👉 To have the story delivered to your inbox every day in December, subscribe to my Medium publications.

Top comments (0)