![]() ![]() Architecture specific images can be directly referenced using an additional architecture suffix on the tag, like gcr.io/distroless/static-debian11:latest-amd64Īny other tags are considered deprecated and are no longer updated How do I verify distroless images?Īll distroless images are signed by cosign. These images refer to image indexes with references to all supported architectures. The following images are currently published and updated by the distroless project (see SUPPORT_POLICY for support timelines) Image These images are built using bazel, but they can also be used through other Docker image build tooling. That's about 50% of the size of alpine (~5 MiB), and less than 2% of the size of debian (124 MiB). ![]() The smallest distroless image, gcr.io/distroless/static-debian11, is around 2 MiB. CVE) and reduces the burden of establishing provenance to just what you need. It improves the signal to noise of scanners (e.g. Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by GoogleĪnd other tech giants that have used containers in production for many years. Or application/.v1+json, update your container tooling (docker, jib, etc) to latest. Since March 2023, Distroless images use oci manifests, if you see errors referencing application/.v1+json They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.įor more information, see this talk ( video). "Distroless" images contain only your application and its runtime dependencies. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |