✦ For everyone, free.

Practical knowledge for real and everyday life

Home

3.3.3.5 Base Image Hardening

A focused guide to Base Image Hardening, connecting core concepts with practical Docker and container operations.

Base image hardening is the practice of deliberately reducing a base image's attack surface and following security best practices — minimizing installed packages, avoiding running as root, and keeping the image current — before any application-specific concerns are even considered.

Minimizing the Attack Surface

Every additional package or tool present in an image is something a successful attacker could potentially use, which is why hardened base images tend to favor minimal variants, removing shells, package managers, and unnecessary utilities wherever the application does not genuinely need them.

FROM gcr.io/distroless/python3

A distroless base image represents an extreme version of this principle, removing virtually everything beyond what the application's own runtime strictly requires.

Running as a Non-Root User

A hardened base image, or the layers built on top of it, should configure the container to run its main process as a non-root user, limiting what a compromised process could do even within its own isolated namespace.

FROM python:3.12-slim
RUN useradd --create-home appuser
USER appuser
Avoiding Unnecessary Setuid Binaries

Some base images include setuid binaries that allow privilege escalation under certain conditions; auditing and removing unnecessary setuid binaries reduces this specific category of risk.

docker run --rm myapp:1.0 find / -perm -4000 -type f

This finds setuid binaries present in the image, which can then be reviewed to determine whether each one is actually necessary.

Keeping Base Images Current

A hardened base image strategy includes a process for regularly rebuilding against updated base image versions, since even a well-chosen, minimal base image accumulates known vulnerabilities over time if never refreshed.

docker build --pull -t myapp:1.0 .
docker scan myapp:1.0
Why Base Image Hardening Matters

Hardening decisions made at the base image level affect every application built on top of that base, making this one of the highest-leverage points to apply security improvements consistently across an entire organization's container images, rather than addressing security only at the level of individual applications.

Related content