Prefer minimal base images

Often times, you might start projects with a generic Docker container image such as writing a Dockerfile with a FROM node, as your “default”.

However, when specifying the node image, you should take into consideration that the fully installed Debian Stretch distribution is the underlying image that is used to build it.

If your project doesn’t require any general system libraries or system utilities then it is better to avoid using a full blown operating system (OS) as a base image.

In Snyk’s State of open source security report – 2019, we found that many of the popular Docker containers that are featured on the Docker Hub website are bundling images that contain many known vulnerabilities.

For example, when you use a generic and popularly downloaded node image such as docker pull node, you are actually introducing an OS into your application that is known to have 580 vulnerabilities in its system libraries.

Taken from the open source security report 2019, as can be seen, each of the top ten Docker images we inspected on Docker Hub contained known vulnerabilities.

By preferring minimal images that bundle only the necessary system tools and libraries required to run your project, you are also minimizing the attack surface for attackers and ensuring that you ship a secure OS.

This tip is part of a complete 10 Docker image security best practices you should adopt. Thanks for reading and to Omer Levi Hevroni who worked with me on it.

The original blog post includes a high-resolution printable PDF like the snippet you see below. Check it out