When building a house, you wouldn’t build on a cracked foundation. Yet, in the world of container development, that is precisely what happens when engineering teams build applications on top of unverified, public base images.

For most teams, the process begins by searching a public registry for a pre-existing image, typically built on Alpine, Debian, or Ubuntu, to serve as the base layer. While convenient, these community-maintained images are often bloated, outdated, and ridden with unpatched vulnerabilities and misconfigurations. If your base image is compromised, every container derived from it inherits that risk.

The Distroless Difference

To truly secure the software supply chain, you must shrink the attack surface. This starts with using a “distroless” base image.

Unlike standard distributions that package unnecessary utilities, a distroless image contains only the application and its runtime dependencies. Distroless Images strip away the vast majority of bundled software, meaning:

  • No Shells: Attackers cannot efficiently run scripts or execute commands if they gain access to the system.
  • No Package Managers: There is no easy way for bad actors to install malicious tools.
  • No Debugging Tools: Sensitive information and internal workings remain obscured.

ActiveState’s Custom Base Layer

ActiveState Secure Containers are built on a custom distroless foundation designed for maximum security and a minimal footprint. Instead of relying on upstream Linux distributions, ActiveState compiles only the required base components such as Glibc directly from source.

This approach delivers three critical advantages:

  1. Reduced Attack Surface: By removing everything unnecessary, there are fewer potential vulnerabilities for attackers to exploit.
  2. Total Visibility: Compiling from source ensures that only vetted components are included, providing complete control over the image’s contents.
  3. Streamlined Maintenance: With fewer moving parts, the image is smaller, faster to pull, and significantly easier to patch and maintain.

Secure from the Start

A secure container requires a safe beginning. By shifting to a hardened, distroless base image, DevSecOps teams can proactively reduce the chance of vulnerabilities existing in the first place, rather than fighting them after deployment.

Why Choose ActiveState?

s a provider of managed services, your time is your most valuable asset. By starting with the most secure foundation, you reduce the risk of a high-cost security incident, protecting your business from the hundreds of millions of dollars in fines that security breaches incur in regulated industries.

Download the ActiveState Container Hardening Guide to see how a custom base image can transform your security posture.