Beyond Size: Don’t Panic at the Distroless
I don’t think I’m the first to tell you that containers have become an integral part of application deployments in the world of everything cloud-native. You don’t have to take my word for it — according to Gartner, by 2029, over 35% of all applications will run in containers. With containers growing more ubiquitous, we are seeing a continuous drive toward smaller, more secure container images. This has led to the concept of ‘distroless’ containers emerging as a popular approach.
The idea behind distroless is straightforward enough — take away everything unnecessary, leaving only the application and its absolute bare minimum runtime dependencies. It sounds great, right? Surely there aren’t any insidious risks lurking in the pursuit of smaller and smaller images, are there? The reality is that building distroless containers can introduce some subtle security challenges if proper caution is not exercised.
The Size Trap
We often fall into the trap of assuming that smaller automatically equals more secure — after all, it means a smaller attack surface. While reducing image size is a good security practice, it is not the whole story. The process of creating these lean and mean images can unintentionally create ’blind spots’ in our security. Let us break down where these blind spots may appear.
Vulnerability scanners, the tools we often rely on to find potential weaknesses, depend on information tucked away in package manager metadata — the kind of data that tells the scanner what software components are actually inside the container. When building distroless images, developers often manually copy over only the essential files, or what you can call ‘cherry-picking’. This can mistakenly remove that crucial metadata, leaving scanners unable to do their job properly. That is precisely what happens when we strip away package metadata. The container might seem clean, but hidden vulnerabilities could be lurking, undetected. And in the security world, these undetected vulnerabilities — what we call ‘false negatives’ — are far more dangerous than false positives. A false positive might be annoying, but a hidden vulnerability is a huge problem.
So how do we navigate this landscape and build truly secure distroless containers? It is about more than just minimizing size. We need to change our thinking and consider security transparency as a core principle. Maintaining package manager metadata is critical. It is the key that unlocks the information scanners need to function properly. At the same time, we should not rely on a single scanner. Different scanners have different strengths, so using a variety of tools gives us a much better chance of catching potential problems.
Tools of the Trade
A valuable tool for looking at the contents of your containers is the software bill of materials (SBOM). Think of it as a detailed inventory list, specifying all the software components within your image. A complete and accurate SBOM is vital for effective security. If your SBOM is incomplete or missing, it raises some serious concerns. It suggests that something is preventing a full accounting of your image’s contents. This could be due to missing or incomplete package manager metadata.
There are also specialized tools that can help streamline the process of building minimal images while preserving the necessary metadata. And do not forget the power of multi-stage builds. This technique allows us to use a full operating system distribution during the build process, ensuring we have access to all the necessary dependencies and metadata, before carefully selecting only the required artifacts for our final, minimal image.
The Mindset Shift: From Small to Secure
Building secure distroless containers is not just about making things smaller; it is about making them transparent. It is about ensuring that we have the information we need to identify and address potential vulnerabilities. By focusing on metadata, using a range of security tools and adopting a responsible build process, we can harness the benefits of distroless containers without sacrificing application security. It is a shift in the mindset, from simply chasing smaller images to prioritizing secure and transparent containers, no matter the size. So, while the world of distroless might seem perilous, remember — do not panic, just build your containers with security and transparency in mind.
KubeCon + CloudNativeCon EU 2025 is taking place in London from April 1-4. Register now.
