`; resultsHTML += results .map((item) => { return `
${item.meta.title}

…${item.excerpt}…

`; }) .join(""); if (resultsLength > 5) { resultsHTML += `
Show all results
`; } searchBarResults.innerHTML = resultsHTML; } } searchBarInput.addEventListener("input", search); if (window.heap !== undefined) { searchBarResults.addEventListener('click', function (event) { if (event.target.tagName === 'A' && event.target.closest('.link')) { const searchQuery = event.target.getAttribute('data-query'); const resultIndex = event.target.getAttribute('data-index'); const url = new URL(event.target.href); const properties = { docs_search_target_path: url.pathname, docs_search_target_title: event.target.textContent, docs_search_query_text: searchQuery, docs_search_target_index: resultIndex, docs_search_source_path: window.location.pathname, docs_search_source_title: document.title, }; heap.track("Docs - Search - Click - Result Link", properties); } }); } });

Minimal or distroless images

Table of contents

Minimal images, sometimes called distroless images, are container images stripped of unnecessary components such as package managers, shells, or even the underlying operating system distribution. Docker Hardened Images (DHI) embrace this minimal approach to reduce vulnerabilities and enforce secure software delivery.

What are minimal or distroless images?

Traditional container images include a full OS, often more than what is needed to run an application. In contrast, minimal or distroless images include only:

  • The application binary
  • Its runtime dependencies (e.g., libc, Java, Python)
  • Any explicitly required configuration or metadata

They typically exclude:

  • OS tools (e.g., ls, ps, cat)
  • Shells (e.g., sh, bash)
  • Package managers (e.g., apt, apk)
  • Debugging utilities (e.g., curl, wget, strace)

Docker Hardened Images are based on this model, ensuring a smaller and more secure runtime surface.

What you gain

BenefitDescription
Smaller attack surfaceFewer components mean fewer vulnerabilities and less exposure to CVEs
Faster startupSmaller image sizes result in faster pull and start times
Improved securityLack of shell and package manager limits what attackers can do if compromised
Better complianceEasier to audit and verify, especially with SBOMs and attestations

Addressing common tradeoffs

Minimal and distroless images offer strong security benefits, but they can change how you work with containers. Docker Hardened Images are designed to maintain productivity while enhancing security.

ConcernHow Docker Hardened Images help
DebuggabilityHardened images exclude shells and CLI tools by default. Use Docker Debug to temporarily attach a debug sidecar for troubleshooting without modifying the original container.
FamiliarityDHI supports multiple base images, including Alpine and Debian variants, so you can choose a familiar environment while still benefiting from hardening practices.
FlexibilityRuntime immutability helps secure your containers. Use multi-stage builds and CI/CD to control changes, and optionally use dev-focused base images during development.

By balancing minimalism with practical tooling, Docker Hardened Images support modern development workflows without compromising on security or reliability.

Best practices for using minimal images

  • Use multi-stage builds to separate build-time and runtime environments
  • Validate image behavior using CI pipelines, not interactive inspection
  • Include runtime-specific dependencies explicitly in your Dockerfile
  • Use Docker Scout to continuously monitor for CVEs, even in minimal images

By adopting minimal or distroless images through Docker Hardened Images, you gain a more secure, predictable, and production-ready container environment that's designed for automation, clarity, and reduced risk.