explaingit

googlecontainertools/distroless

22,594StarlarkAudience · ops devopsComplexity · 3/5LicenseSetup · easy

TLDR

Minimal Docker container images from Google containing only your application and its runtime, no shell, no package manager, for smaller, more secure production deployments.

Mindmap

mindmap
  root((distroless))
    What it does
      Removes shell and tools
      Minimizes image size
      Reduces attack surface
    Use Cases
      Production containers
      Security hardening
      Multi-stage builds
    Tech Stack
      Docker images
      Bazel build
      Starlark config
    Audience
      DevOps engineers
      Backend developers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Deploy a Python web app in a container that is far smaller and more secure than a standard Debian image.

USE CASE 2

Use multi-stage Docker builds to compile your app then copy only the binary into a distroless runtime image.

USE CASE 3

Reduce security scanner alerts by removing unnecessary OS packages from your production containers.

USE CASE 4

Run Java or Node.js apps in production with a minimal attack surface and no shell to exploit.

Tech stack

StarlarkDockerBazel

Getting it running

Difficulty · easy Time to first run · 30min

No installation needed, reference the distroless base image directly in your Dockerfile FROM line.

Apache 2.0, use freely for any purpose including commercial, just keep the copyright notice.

In plain English

Distroless is a collection of minimal Docker container images from Google that contain only your application and the specific runtime it needs to run, nothing else. A standard Linux-based Docker image comes bundled with a full operating system including a package manager, a shell, and hundreds of programs and libraries that your app never actually uses. All of that extra software is potential dead weight: more storage, more attack surface for security vulnerabilities, and more noise when security scanners try to flag problems. Distroless strips all of that out. The smallest distroless image is around 2 megabytes, compared to roughly 124 megabytes for a standard Debian image. Because there is no shell or package manager inside the container, there is much less that can go wrong or be exploited if someone breaks in. The practical tradeoff is that debugging becomes harder, you cannot shell into the container and poke around. There is a special "debug" variant of each image that adds a minimal shell for troubleshooting purposes. You would use distroless images when deploying production applications in containers where security, image size, and a minimal footprint matter. They work especially well with the Docker multi-stage build pattern: you use a full build environment to compile your app, then copy only the compiled result into a distroless runtime image. Language-specific variants are available for Python, Java, Node.js, and others.

Copy-paste prompts

Prompt 1
Write a multi-stage Dockerfile that compiles my Go app and copies the binary into a distroless/static base image for production.
Prompt 2
How do I debug a running distroless container when there is no shell available inside it?
Prompt 3
Show me a Dockerfile using gcr.io/distroless/python3 to run a Flask app in production with distroless.
Prompt 4
Compare the security benefits of distroless vs a slim Debian base image for my Node.js service.
Prompt 5
Generate a GitHub Actions workflow that builds a distroless Docker image and pushes it to Google Container Registry.
Open on GitHub → Explain another repo

← googlecontainertools on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.