Safeguard
Tag

distroless

Safeguard articles tagged "distroless" — guides, analysis, and best practices for software supply chain and application security.

17 articles

Container Security

Minimal container images with ko: evaluating distroless Go builds

ko builds Go containers straight from source onto a shell-less distroless base with no Dockerfile — cutting attack surface, and debugging tools, at once.

Jul 12, 20267 min read
Container Security

Building minimal, non-root Java containers with distroless and JVM hardening

A typical java:17 image ships a full OS and root shell; distroless plus JVM container-awareness flags cut that attack surface to almost nothing.

Jul 10, 20266 min read
Container Security

Distroless vs Alpine: Which Base Image Is More Secure?

Alpine is tiny and familiar; distroless is tinier and shell-free. The right choice depends on what you value more — debuggability or a minimal attack surface. Here is the honest tradeoff.

Jul 5, 20265 min read
Container Security

Choosing secure base images for containers

Base image choice drives most of your container's attack surface. Here's what secure Docker base images actually require, with concrete CVE data.

Jun 28, 20267 min read
Container Security

Alpine vs distroless: which base image is more secure

Alpine and distroless both shrink attack surface differently. We compare real CVEs, musl risks, and patch tradeoffs to settle which base image actually wins.

Jun 27, 20267 min read
Tools

Best Container Base Images for Security in 2026

Chainguard, distroless, Alpine, UBI micro, Ubuntu chiseled, and scratch, compared on CVE counts, size, libc, and the operational costs nobody puts in the marketing.

Jun 2, 20267 min read
Container Security

How to Choose a Secure Base Image

Base image choice sets your CVE floor before any scanner runs. Here's how to evaluate footprint, patch cadence, provenance, and rebuild cycle.

Mar 16, 20268 min read
Container Security

The Minimal Base Image Myth: What Actually Reduces Attack Surface

Alpine, distroless, and scratch images don't automatically cut risk. The real attack-surface drivers are capabilities, root filesystem, network policies, and seccomp.

Mar 3, 20267 min read
Engineering

Alpine vs Distroless vs Ubuntu Base Images: Security Tradeoffs

Alpine is small, distroless is smaller, Ubuntu is comfortable. The real security question is CVE surface vs debuggability vs compatibility — with numbers.

Mar 2, 20267 min read
Comparisons

Zero-CVE Images vs Hardening Your Own: Cost and Risk Compared

Buy zero-CVE base images or build hardened ones yourself? A cost-and-risk comparison with real numbers: engineering hours, subscription pricing, and CVE half-life.

Feb 25, 20266 min read
Container Security

Distroless Node.js 20 on Debian 12 Image Deep Dive

A deep dive into the gcr.io/distroless/nodejs20-debian12 image: contents, attack surface, real-world CVE exposure, and where it fits in production.

Feb 19, 20265 min read
Open Source Security

Why Choose Wolfi Linux: A Buyer Rationale for 2026

A clear-eyed look at Wolfi's value as a container base image distribution: glibc-based design, security defaults, build provenance, and where it does not fit.

Jan 29, 20266 min read
distroless — Safeguard Blog