I noticed that the official Python3 Docker image, which is based on Debian, includes a Perl interpreter. I ran a quick check with a command to display the Perl version and confirmed it's there. My assumption is that this comes from Debian's requirements since Perl isn't necessary for Python itself. I also looked into hardened images thinking they might be more secure, but I found a gawk binary included in the hardened Python3 image as well. I'm curious about best practices around using these images. Are trusted images enough, or should we be taking extra steps to control what's included?
2 Answers
If you're concerned about these inclusions, consider using hardened images like Chainguard. They provide a transparent software bill of materials for their containers, which greatly improves security. I often use their Python images; they’re minimal and better secured.
The Python3 image isn't distroless since it's based on Debian, which includes Perl by default. Additionally, some parts of Python's source code actually rely on the shell, so having a minimal shell is required.
That sounds interesting! How does Chainguard manage the size while still offering custom images?