distroless
Safeguard articles tagged "distroless" — guides, analysis, and best practices for software supply chain and application security.
17 articles
Minimal container images with ko: evaluating distroless Go builds
ko builds Go containers straight from source onto a shell-less distroless base with no Dockerfile — cutting attack surface, and debugging tools, at once.
Building minimal, non-root Java containers with distroless and JVM hardening
A typical java:17 image ships a full OS and root shell; distroless plus JVM container-awareness flags cut that attack surface to almost nothing.
Distroless vs Alpine: Which Base Image Is More Secure?
Alpine is tiny and familiar; distroless is tinier and shell-free. The right choice depends on what you value more — debuggability or a minimal attack surface. Here is the honest tradeoff.
Choosing secure base images for containers
Base image choice drives most of your container's attack surface. Here's what secure Docker base images actually require, with concrete CVE data.
Alpine vs distroless: which base image is more secure
Alpine and distroless both shrink attack surface differently. We compare real CVEs, musl risks, and patch tradeoffs to settle which base image actually wins.
Best Container Base Images for Security in 2026
Chainguard, distroless, Alpine, UBI micro, Ubuntu chiseled, and scratch, compared on CVE counts, size, libc, and the operational costs nobody puts in the marketing.
How to Choose a Secure Base Image
Base image choice sets your CVE floor before any scanner runs. Here's how to evaluate footprint, patch cadence, provenance, and rebuild cycle.
The Minimal Base Image Myth: What Actually Reduces Attack Surface
Alpine, distroless, and scratch images don't automatically cut risk. The real attack-surface drivers are capabilities, root filesystem, network policies, and seccomp.
Alpine vs Distroless vs Ubuntu Base Images: Security Tradeoffs
Alpine is small, distroless is smaller, Ubuntu is comfortable. The real security question is CVE surface vs debuggability vs compatibility — with numbers.
Zero-CVE Images vs Hardening Your Own: Cost and Risk Compared
Buy zero-CVE base images or build hardened ones yourself? A cost-and-risk comparison with real numbers: engineering hours, subscription pricing, and CVE half-life.
Distroless Node.js 20 on Debian 12 Image Deep Dive
A deep dive into the gcr.io/distroless/nodejs20-debian12 image: contents, attack surface, real-world CVE exposure, and where it fits in production.
Why Choose Wolfi Linux: A Buyer Rationale for 2026
A clear-eyed look at Wolfi's value as a container base image distribution: glibc-based design, security defaults, build provenance, and where it does not fit.