Day 6 — The Audit
Source: Dev.to
Gord halts at the edge of the village and nods toward Rothütle’s pack.
“Your bag is rather heavy,” she says. “And noisy. Let me check it.”
Rothütle hesitates. “It’s just my things.”
“In the deep forest,” she replies, kneeling beside a mossy stone, “weight slows you down — and noise draws the wrong attention.”
Reluctantly, he hands it over. Gord examines the contents with calm precision: a notebook, spare shirt, ink bottle, three pens, and a carefully wrapped pastry.
She lifts the pastry.
“For morale,” he offers.
“For animals,” she says, setting it aside. “And possibly worse.”
One by one, she removes anything that could rattle, crumble, leak, or leave a trace.
“The corrupted parts of the forest use what you carry against you,” she adds. “And Jack knows how to track by traces.”
Rothütle watches his pack grow unnervingly light.
“I feel exposed.”
“Good,” Gord replies, repacking only what matters. “A quiet burden keeps you alive.”
Tip of the day: Removing unnecessary components makes your images safer.
Security Tip #6 — Image Hardening
Gord’s audit is image hardening in story form: reduce weight, reduce noise, reduce risk.
Every unnecessary package inside a container becomes:
- another dependency to patch,
- another hiding place for vulnerabilities,
- another clue an attacker can use to understand your system.
Just as Gord reduces Rothütle’s burden, image hardening reduces your container’s attack surface.
How to Harden Your Images
- Start from minimal base images (distroless, slim, Alpine, Docker Hardened Images).
- Use multi‑stage builds so only compiled artifacts reach the final image.
- Remove “just in case” tools — no shells,
curl,ping,nanounless absolutely needed. - Prefer rebuilt clean images over patched ones.
- Scan images regularly.
Example 1: Docker Hardened Images
FROM gord/dhi-python:3.13
# Copy only necessary application files
COPY app/ /app/
WORKDIR /app/
CMD ["python", "main.py"]DHI is a set of near‑zero‑CVE base images maintained by Docker, designed for production workloads.
Example 2: Alpine Minimal Base Image
FROM alpine:3.19
# Install only the package needed to run the app, then remove build cache
RUN apk --no-cache add python3
# Copy the application
COPY app/ /app/
WORKDIR /app/
CMD ["python3", "main.py"]Alpine Linux is a small, security‑oriented distribution often used for minimal container images.
Example 3: Multi‑Stage Build
# Stage 1: The Build Stage (contains heavy build tools)
FROM golang:1.21-alpine AS builder
WORKDIR /src
COPY . .
RUN go build -o /usr/local/bin/myapp ./cmd/
# Stage 2: The Final Runtime Stage (minimal, hardened)
FROM alpine:3.19
# Copy only the compiled binary from the builder stage
COPY --from=builder /usr/local/bin/myapp /usr/local/bin/myapp
# No shell or Go dependencies are carried over, only the single binary.
CMD ["/usr/local/bin/myapp"]A quiet image behaves like a quiet traveler: harder to detect, harder to exploit, and far more resilient.
Teaser for Day 7 — Deeper into the Dark
Tomorrow, Gord and Rothütle leave Oberried behind and step into the true forest — where light thins, shadows thicken, and Gord prepares her blade with a ritual Rothütle has never seen.
And something watches them from between the pines.