Use distroless image for Container Scanning

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Proposal

Container Scanning currently uses ruby:3.1-slim as the base image, however, this installs many additional packages, such as perl which increases the potential for vulnerabilities, as well as maintenance burden.

Container Scanning doesn't strictly need packages such as perl, however, they're "essential packages", as explained here and cannot be removed.

In order to reduce the maintenance burden and potential for vulnerabilities, we should switch the Container Scanning base image to a distroless image such as cgr.dev/chainguard/wolfi-base and then install the required packages (ruby, git, etc):

68b68a17ca16:/ci-project-dir# apk add git
68b68a17ca16:/ci-project-dir# apk add ruby3.3-bundler

The above commands install only a minimal set of packages:

68b68a17ca16:/ci-project-dir# apk info -vv | sort

apk-tools-2.14.0-r1 - apk-tools (Wolfi package manager)
busybox-1.36.1-r4 - swiss-army knife for embedded systems
ca-certificates-bundle-20230506-r1 -
expat-2.5.0-r3 - XML SAX Parser library written in C
git-2.43.0-r1 - distributed version control system
glibc-2.38-r9 - the GNU C library
glibc-locale-posix-2.38-r9 - POSIX locale data for glibc
ld-linux-2.38-r9 - the GLIBC ELF interpreter
libbrotlicommon1-1.1.0-r1 -
libbrotlidec1-1.1.0-r1 -
libcrypt1-2.38-r9 - Password hashing library included with glibc
libcrypto3-3.2.0-r1 - OpenSSL libcrypto library
libcurl-openssl4-8.5.0-r1 - curl library (openssl backend)
libffi-3.4.4-r2 - portable foreign function interface library
libgcc-13.2.0-r4 - GCC runtime library
libidn2-2.3.4-r0 - Encode/Decode library for internationalized domain names
libnghttp2-14-1.58.0-r1 - nghttp2 client library
libpcre2-8-0-10.42-r3 - pcre2 runtime library 8-bit
libpsl-0.21.2-r0 - C library for the Publix Suffix List
libssl3-3.2.0-r1 - OpenSSL libssl library
libunistring-1.1-r1 - Library for manipulating Unicode strings and C strings
openssl-config-3.2.0-r1 - OpenSSL configuration
ruby-3.3-3.3.0-r0 - the Ruby programming language
ruby3.3-bundler-2.5.4-r0 - Manage an application's gem dependencies
wolfi-base-1-r3 - Wolfi base metapackage
wolfi-baselayout-20230201-r7 - baselayout data for Wolfi
wolfi-keys-1-r6 - Wolfi signing keyring
yaml-0.2.5-r1 - YAML 1.1 parser and emitter written in C
zlib-1.3-r3 - a library implementing the zlib compression algorithms

and we can remove the requirement for git if we complete Remove git-core from Container Scanning and use... (#398992 - closed) • Shao Ming Tan • 16.7 • On track.

/cc @thiagocsf

Edited Aug 22, 2025 by 🤖 GitLab Bot 🤖