Skip to content

Use a scratch based image to limit vulnerabilities #985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
morepork wants to merge 1 commit into from
Closed

Use a scratch based image to limit vulnerabilities #985

morepork wants to merge 1 commit into from

Conversation

@morepork
Copy link

@morepork morepork commented Oct 22, 2025

The alpine base image isn't needed as the statically linked go binary runs fine without it. Using a scratch based image reduces the number of vulnerabilities brought up by scanning tools in the alpine image, and makes the image a bit smaller.

@morepork
Use a scratch based image to limit vulnerabilities
298e927 
The alpine base image isn't needed as the statically linked go binary
runs fine without it. Using a scratch based image reduces the number of
vulnerabilities brought up by scanning tools in the alpine image, and
makes the image a bit smaller.

Signed-off-by: Liam Byrne <morepork@tetrate.io>
@collin-lee
Copy link
Contributor

collin-lee commented Oct 23, 2025

Are we just using Alpine image for the certs? I see the change considers that. I think this is okay @arkodg

@arkodg
Copy link
Contributor

arkodg commented Oct 23, 2025
edited
Loading

hey there seem to be multiple GH issues around this

my recommendation would be to add a new distroless variant, if this approach is taken, the decision to be made is

  • publish two images - one with a distroless- prefix in the tag and one without ( alpine)
  • or publish one distroless image and rm alpine but that may break downstream users who have been relying on using the shell for debugging etc

@morepork
Copy link
Author

morepork commented Oct 23, 2025
edited
Loading

My preference would be to just switch to a distroless image. It would still be possible to debug via an ephemeral debug container.

Having 2 images would also be fine, we could go with <tag> and distroless-<tag> as Arko suggests, which would be consistent with Envoy, but in my experience that leads to a lot of people using the non-distroless variant when they should really be using the distroless one, I always prefer to see a secure by default approach. Another naming scheme I've seen is to have <tag> be distroless, and also having a <tag>-debug or <tag>-alpine.

For us any option is ok, I'm happy to go with whatever you prefer.

@arkodg
Copy link
Contributor

arkodg commented Oct 23, 2025

thanks and agree @morepork, just switching to distroless should be okay

@collin-lee
Copy link
Contributor

collin-lee commented Oct 24, 2025

like the distroless approach

@collin-lee
Copy link
Contributor

collin-lee commented Oct 27, 2025

Maybe something like this?

#993

@morepork
Copy link
Author

morepork commented Oct 27, 2025

Closing in favour of #993

@morepork morepork closed this Oct 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@morepork @collin-lee @arkodg