Docker: alpine vs buster-slim vs distroless image
The container image with alpine linux is smaller than the buster-slim image and triggers far less security warning from the container security scanning.
| X | buster-slim | alpine | distroless |
|---|---|---|---|
| size | 62.85 MB | 24.38 MB | 42.08MB |
| sec-warnings | 1 high, 56 medium, 7 low prio | 1 low prio | 0 |
There are some statements to better not use alpine linux for Python apps (at least in some cases):
- https://pythonspeed.com/articles/alpine-docker-python/
- https://medium.com/swlh/alpine-slim-stretch-buster-jessie-bullseye-bookworm-what-are-the-differences-in-docker-62171ed4531d
These are basing their opinion on slower build times and sometimes hard to fix bugs. I guess if the app just works as with the marketplace it is a safe option to switch to alpine for security reasons.
Update: Did a test with a distroless container, this wins the container scanning security competition. If I understand right google does patch the distroless base images to with latest security fixes: https://cloud.google.com/container-registry/docs/managed-base-images
Edited by Ubbo Veentjer