{
  "$type": "site.standard.document",
  "description": "Reduce dependencies, vulnerabilites, and image size.",
  "path": "/decisions/distroless/",
  "publishedAt": "2025-06-19T00:00:00Z",
  "site": "at://did:plc:bnr33h7nafe5nk4zzlshvana/site.standard.publication/3mnb3xdhll227",
  "tags": [
    "Docker",
    "Distribution"
  ],
  "textContent": "envoyproxy/envoy-distroless images are smaller and have fewer vulnerabilites than the official Envoy images, envoyproxy/envoy . IO's Dockerfile now uses these as the base image for IO. Pros Image size went from ~ 75MB to ~ 55MB. All of the medium vulnerabilties that Docker Hub reported when we built on envoyproxy/envoy are gone now. Both amd64 and arm64 images are available. Cons With no built-in shell, images are harder to debug. This adds a dependency on the Google team that builds the distroless images. Distroless adds a nonroot user, but I've been unable to give that user write access to files in mapped volumes. It's probably a me problem, but for now we've configured IO images to run interally as root . ",
  "title": "Use Distroless Envoy images"
}