A distroless image contains only an application and its runtime dependencies; that is, it is a minimal image without a shell or package manager.
We use apko and melange as our distroless build system. Combined, these tools provide for a reproducible, declarative approach to building OCI images.
melange lets you build APKs using declarative YAML pipelines. APKs are .apk packages compatible with the package manager used by Alpine, similar to .deb or .rpm for instance.
apko lets you bundle a collection of APKs into an OCI image using a declarative YAML manifest.
Our distroless images provide SBOM support and signatures for known provenance and more secure base images. They can be part of an approach to a secure software factory.
Find and use distroless images
Our distroless images are available via distroless.dev.
You can pull down a distroless image with Docker, for example:
docker pull distroless.dev/apkoBecause all distroless images are signed with Cosign, you can check the signature. For our apko image example, you can run the following:
COSIGN_EXPERIMENTAL=1 cosign verify distroless.dev/apko | jqYour output will indicate that the Cosign claims were validated.
Learn more
You can learn more about distroless images, apko, and melange from the following articles:
- Introducing apko: bringing distroless nirvana to Alpine Linux
- Minimal Container Images: Towards a More Secure Future
- Secure Your Software Factory with melange and apko
Media
Find the distroless logo, artwork, and brand guidelines in the distroless/artwork repository.
