Engineering8 min read

Why We Built ImageSentinel on a Hardened Minimal Base

By

When we started building ImageSentinel, we had a fundamental question to answer: what should our hardened container images be built on? The obvious choices were the traditional Linux distributions—Debian, Ubuntu, Alpine. But each of these came with baggage that made them less than ideal for security-focused container workloads.

The Problem with Traditional Base Images

Traditional Linux distributions were designed for general-purpose computing. They include hundreds of packages by default, many of which are completely unnecessary in a containerized environment. This creates two problems:

  • Larger attack surface — Every additional package is a potential vulnerability. The more code in your image, the more opportunities for exploits.
  • Slower patching cycles — General-purpose distributions must balance stability with security updates. This means vulnerabilities often linger for weeks or months.

Enter Minimal Base Images

A hardened minimal base removes non-essential userland entirely—no package manager, no shell, no editors, no unused utilities—leaving only what your process needs to run. Fewer moving parts means fewer CVEs, smaller images, faster cold starts, and simpler compliance.

Dockerfile
# Example: minimal hardened Dockerfile for a Node service
# 1) Build stage
FROM node:20-alpine AS build
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
COPY . .
RUN npm run build

# 2) Runtime stage (hardened minimal base)
FROM imagesentinel.io/node:20
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=build /app/node_modules ./node_modules
USER 65532:65532  # non-root
EXPOSE 3000
CMD ["dist/server.js"]

Minimal base isn't about a specific vendor—it's a design principle: minimize the runtime to reduce attack surface and operational noise. Daily rebuilds, attestations, and provenance then make it verifiable.

The ImageSentinel Advantage

Building on a hardened minimal base, ImageSentinel layers rigorous hardening and verification on top. The result is container images that are:

  • Verifiably CVE-free at the time of build
  • Signed with Sigstore for tamper-evident verification
  • Shipped with complete SBOM and SLSA provenance attestations
  • 80–90% smaller than traditional alternatives