attack-surface-reduction
Safeguard articles tagged "attack-surface-reduction" — guides, analysis, and best practices for software supply chain and application security.
8 articles
Minimal container images with ko: evaluating distroless Go builds
ko builds Go containers straight from source onto a shell-less distroless base with no Dockerfile — cutting attack surface, and debugging tools, at once.
Minimal Base Images for Security: A Practical Guide
Minimal base images cut CVE counts by up to 95% by shipping only what your app needs. Here is how to choose between distroless, Wolfi, Alpine, and scratch — and build on each safely.
Alpine vs Debian Base Image Security: Which Is Safer?
Alpine is tiny and dodged the xz backdoor; Debian has deeper security tracking and broader compatibility. Here is how the two base images actually compare on security — and how to harden either one.
Reducing the Attack Surface of Your Docker Images
Every binary, library, and shell in a Docker image is attack surface. Here is how to strip an image down to the bytes your app actually needs — and cut your CVE count by up to 95%.
Distroless container images explained
Distroless images cut container size by up to 90% and eliminate OS-level CVEs, but they don't secure app dependencies. Here's how they work and where they fall short.
Minimizing container attack surface
Container images ship 400+ CVEs on average but under 15% are reachable. Learn concrete, numbers-backed steps to cut container attack surface.
Attack surface reduction: practical strategies to minimiz...
Base images are one layer. Real attack surface reduction covers dependencies, build pipelines, and provenance too — here's what Chainguard's approach misses.
What is Attack Surface Reduction
Attack surface reduction means shrinking every entry point attackers can use—code, network, and identity. Here's how to define, measure, and act on it.