Another Day of Exploring DevOps: Comparing Distroless, Chainguard, and Docker Hardened Images

Container security is one of those topics that keeps getting more interesting the deeper you go.

While working with Docker images, I've always followed the common best practice of using multi-stage builds. It's a simple change that can make a big difference by reducing image size, removing unnecessary dependencies, and minimizing the attack surface of a container.

For most projects, I usually reach for Alpine or Slim images in the final stage. They do a decent job of keeping images lightweight, but they still include packages that your application may never need. More packages generally mean more potential vulnerabilities.

Recently, I started wondering:

Can I make my containers even smaller and more secure?

That question led me down a rabbit hole of exploring security-focused container images.

The Contenders

For this experiment, I decided to compare three popular options:

• Distroless Images

• Chainguard Images

• Docker Hardened Images

All three aim to reduce the attack surface by removing unnecessary components from the final image, but they take slightly different approaches.

The Test Setup

To keep things simple, I used a personal Go application that already had a multi-stage Docker build.

The only thing I changed was the final runtime image. Everything else remained exactly the same.

For each build, I wanted to compare:

• Final image size

• Vulnerability count

• Overall security posture

Instead of my usual tool, Trivy, I decided to try Docker Scout for vulnerability analysis and image insights.

Results

After building and scanning all three images, a few things stood out.

Distroless Images

Distroless produced the smallest image size among the three options.

Since these images contain only the application and its runtime dependencies, they eliminate many components that attackers could potentially target.

Chainguard Images

Chainguard images were also very impressive.

The vulnerability results were nearly identical to Distroless, and they come with additional security-focused features and supply chain considerations that make them increasingly popular in production environments.

Docker Hardened Images

Docker Hardened Images also provided a more secure baseline compared to traditional runtime images, although their image sizes were slightly larger than the Distroless alternative in my testing.

What I Learned

This experiment reinforced something I've been hearing for a while:

The best container image is often the one that contains only what your application actually needs.

Smaller images offer several benefits:

• Reduced attack surface

• Fewer vulnerabilities

• Faster image pulls

• Quicker deployments

• Lower storage and bandwidth usage

Based on this test, Distroless came out ahead in terms of image size, while both Distroless and Chainguard showed similarly strong vulnerability results according to Docker Scout.

Final Thoughts

This wasn't a large-scale benchmark or production evaluation just a learning exercise on a personal project. But it was a great reminder that choosing the right base image can have a significant impact on both security and efficiency.

I'm planning to explore these images further, especially in Kubernetes environments, to understand their operational trade-offs and debugging experience.

Have you used Distroless, Chainguard, or Docker Hardened Images in production? I'd be interested to hear what worked well for you and what challenges you faced.

Learning a little more about containers every day. 🚀