# googlecloudplatform/distroless

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/googlecloudplatform-distroless).**

22,774 stars · 1,405 forks · Starlark · Apache-2.0

## Links

- GitHub: https://github.com/GoogleCloudPlatform/distroless
- awesome-repositories: https://awesome-repositories.com/repository/googlecloudplatform-distroless.md

## Description

Distroless provides a set of OCI-compliant minimal base images and hardening tools designed to create secure, language-specific execution environments. These images are stripped of non-essential system binaries, shells, and package managers to reduce the container attack surface.

The project utilizes upstream-tracked automated patching to monitor operating system releases and generate updated images when security vulnerabilities are addressed. It ensures supply chain integrity through image provenance verification using ephemeral-key digital signatures.

The system supports the generation of minimal runtime environments for specific programming languages, bundling only the required shared libraries. For observability, it employs a dual-mode layering approach that allows for internal inspection via separate shell-enabled debug images.

## Tags

### DevOps & Infrastructure

- [Language Base Images](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration/container-runtimes/runtime-configuration-interfaces/docker-socket-orchestrators/docker-target-configurators/docker-container-deployments/docker-image-building/language-base-images.md) — Provides standardized, OCI-compliant minimal base images with pre-installed language runtimes for secure execution. ([source](https://github.com/googlecloudplatform/distroless#readme))
- [Minimal Base Image Creation](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration/container-runtimes/runtime-configuration-interfaces/docker-socket-orchestrators/docker-target-configurators/docker-container-deployments/docker-image-building/language-base-images/minimal-base-images/minimal-base-image-creation.md) — Builds stripped-down images containing only the application and its runtime dependencies to reduce overhead.
- [Minimal Base Images](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration/container-runtimes/runtime-configuration-interfaces/docker-socket-orchestrators/docker-target-configurators/docker-container-deployments/docker-image-building/minimal-base-images.md) — Ships a set of stripped-down container base images containing only runtimes and minimal dependencies.
- [Vulnerability Patching](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration/image-management-tools/container-image-optimizers/vulnerability-patching.md) — Automatically detects and patches vulnerabilities by tracking upstream OS releases and regenerating images.
- [Debug Image Layering](https://awesome-repositories.com/f/devops-infrastructure/container-image-layering/debug-image-layering.md) — Employs a dual-mode layering approach that allows for internal inspection via separate shell-enabled debug images.
- [Container Debugging Utilities](https://awesome-repositories.com/f/devops-infrastructure/containerization/image-inspection/container-debugging-utilities.md) — Provides utilities to launch shell-enabled versions of minimal images for internal state inspection. ([source](https://github.com/googlecloudplatform/distroless#readme))
- [OCI Compliant Image Sets](https://awesome-repositories.com/f/devops-infrastructure/oci-compliant-image-sets.md) — Provides a set of standardized container images that follow Open Container Initiative specifications.

### Development Tools & Productivity

- [Minimal Runtime Environments](https://awesome-repositories.com/f/development-tools-productivity/application-installers/installation-footprint-reducers/runtime-footprint-reducers/minimal-runtime-footprints/minimal-runtime-environments.md) — Generates stripped-down runtime environments containing only the application and language dependencies. ([source](https://github.com/googlecloudplatform/distroless#readme))
- [System Binary Stripping](https://awesome-repositories.com/f/development-tools-productivity/debugging-profiling-testing/debugging-diagnostics/debugging-inspection-tools/debugging-and-inspection-tools/runtime-debugging/debug-symbol-stripping/binary-metadata-stripping/system-binary-stripping.md) — Provides base images stripped of non-essential system binaries to significantly reduce the container attack surface.

### Programming Languages & Runtimes

- [Language-Specific Packaging](https://awesome-repositories.com/f/programming-languages-runtimes/containerized-language-runtimes/language-specific-packaging.md) — Packages minimal shared libraries and runtime components required for specific programming languages to execute.

### Security & Cryptography

- [Automated Security Patching](https://awesome-repositories.com/f/security-cryptography/application-and-system-security/automated-security-patching.md) — Monitors official operating system releases to automatically generate updated images when security vulnerabilities are fixed.
- [Container Surface Reduction](https://awesome-repositories.com/f/security-cryptography/attack-surface-analysis/container-surface-reduction.md) — Limits security exploit vectors by removing shells, package managers, and unnecessary binaries from images. ([source](https://github.com/googlecloudplatform/distroless#readme))
- [Container Hardening](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/linux-security-hardening/container-hardening.md) — Reduces the container attack surface by removing unused components like shells and package managers.
- [Blob Signature Verifications](https://awesome-repositories.com/f/security-cryptography/asymmetric-signing/artifact-verification-key-storage/blob-signature-verifications.md) — Validates image integrity using digital signatures, certificate timestamps, and ephemeral public keys.
- [Supply Chain Integrity](https://awesome-repositories.com/f/security-cryptography/hardened-container-images/supply-chain-integrity.md) — Ensures container image provenance and component integrity through the use of cryptographic signatures.
- [Provenance Verification](https://awesome-repositories.com/f/security-cryptography/provenance-verification.md) — Checks digital signatures using ephemeral keys to confirm the origin and integrity of container images. ([source](https://github.com/googlecloudplatform/distroless#readme))

### Software Engineering & Architecture

- [Runtime-Only Compositions](https://awesome-repositories.com/f/software-engineering-architecture/modular-package-systems/layered-image-composition/runtime-only-compositions.md) — Creates images containing only the application and its minimal dependencies by omitting shells and package managers.

### Part of an Awesome List

- [Example Projects](https://awesome-repositories.com/f/awesome-lists/devtools/example-projects.md) — Language-focused container images built using the system.
