2024-12-14 –, Rookie track 2
Distroless containers only contain your application and its dependencies. In theory, they’re a great security best-practice.
But in practice, it’s really hard to find examples of companies outside of the tech giants that have successfully adopted distroless containers.
Minimal, hardened containers have huge benefits for security teams: reduced attack surface, cleaner vulnerability scans, improved isolation, and simpler supply chains. But how can a security engineer achieve them without the resources of a tech giant?
At Sourcegraph, we faced a lot of pain with vulnerability management in containers, prompting our switch to distroless. In this talk I’ll cover:
- Distroless containers from scratch
- The tooling that’s available
- Real-world experience from migrating a complex SaaS application to distroless - what went well, and what was unexpectedly hard
Yes
Security Engineer