swan tron dot com

Secure Base Images for Docker

Do you hate insecure base images? Sure, we all do..

I built a thing: secure-base-images. It’s a minimal, security-hardened Docker base image for static Go binaries.

CI workflow running tests and build

Issue

Most Docker images are bloated. They include shells, package managers, and a ton of dependencies you don’t need. This creates a huge attack surface that your security team loves to talk about, and drives fast pipeline guys like me insane. For static Go tools, you literally just need the binary and some certs.

Solution

A distroless base image that gives you:

  • Zero vulnerabilities - Automated Trivy security scanning catches CRITICAL/HIGH issues
  • Minimal attack surface - No shell, no package manager, just your binary
  • Non-root execution - Runs as uid 65532 by default
  • Fast builds - Multi-platform support (amd64/arm64) via GitHub Actions
  • Dead simple - 3 lines in ya Dockerfile

Usage

FROM swantron/secure-base:latest
COPY myapp /app
ENTRYPOINT ["/app"]

That’s it. Push a tag, GitHub Actions builds it, scans it with Trivy, and publishes to Docker Hub if it’s clean (it is.)

Clean Trivy scan - zero vulnerabilities

Under the Hood

The GitHub Actions workflow is doing the heavy lifting:

  1. Runs integration tests (non-root user, no shell, CA certs present, etc.)
  2. Builds the image
  3. Scans with Trivy - build fails if vulnerabilities found
  4. Multi-platform build (amd64/arm64)
  5. Pushes to Docker Hub on release tags

It’s opinionated but in a good way. Security by default.

Published to Docker Hub with latest and version tags

Get It

Source: https://github.com/swantron/secure-base-images

Docker Hub: swantron/secure-base:latest

The QUICKSTART.md gets you from zero to published in about 10 minutes.