Making containers smaller is the most popular practice when reducing your attack surface. But how real is this sense of security?
Building Docker images is an easy and accessible practice, however, perfecting them is still an art that is challenging to master. In pursuit of the smallest, most secure and yet functional container images, developers face themselves with distroless practices that usually involve complex tooling, deep distro knowledge and error-prone trimming strategies. In fact, such practices often neglect the use of package managers, contributing to a security abyss, as most vulnerability scanners rely on package manager metadata to detect the software components within the container image.
When you build a container image, you’re packaging your application, together with its dependencies, in a portable software unit that can later be deployed in isolation, without the need to virtualize an entire operating system.
Building container images is actually a very accessible practice nowadays. There’s an abundance of tools (e.g. Docker, Rockcraft, Buildah…) specifically for that purpose.