Chris Partridge

Tired of seeing bullshit alerts about dependencies in your containers, which have some crazy new vulnerability, but aren't part of your application and don't really need to be there? Me too! Stop wasting time and start getting actionable security feedback by making your containers distroless!

I tested this and was able to reduce the number of dependencies showing up in my SBOM by *71%* compared to python:3.11-slim!

https://chris.partridge.tech/2024/distroless-python-in-minutes/ #distroless #container #docker

Converting a Python application to a distroless container in under 15 minutes | tweedge's blog

Tired of seeing bullshit alerts about dependencies in your containers, which have some crazy new vulnerability, but aren't part of your application and don't...

Chris Partridge
Dec 15, 2024 at 10:54pmWeb
Show threadTJ ​ Dec 15, 2024
@tweedge my favorite thing about containerizing Go apps is how easy it is to statically compile it so that you can just use `FROM scratch` and end up with a super-small image. I wonder how that affects vulnerability scanning, though 🤔
Show threadChris PartridgeDec 16, 2024
@tj I'm not much of a Gopher but I would imagine an SBOM at build time would be needed (or at least beneficial) since Go is compiled. That said, less to go wrong & more secure-by-default since there's nothing except what you need included!