Scaling out Distroless adoption With AI

Distroless adoption at Grab

Grab is migrating from heavy base images to Distroless images to reduce security risks. By limiting each container to the application and its runtime dependencies, we shed non-essential binaries and associated Common Vulnerabilities and Exposures (CVEs).

This migration is more than a compliance mandate; it is a strategic security decision to build a more resilient environment.

Why Distroless requires rigorous testing

Distroless adoption risk: Runtime failure

Shifting to Distroless images introduces a critical technical risk: Runtime Failure. A service might build perfectly in Continuous Integration (CI), but fail at the deployment stage due to:

Missing shared objects: Binaries might require specific libraries (.so files) present in Ubuntu but absent in Distroless.
Missing shared objects: Binaries might require specific libraries (.so files) present in Ubuntu but absent in Distroless.
Implicit links: Third-party tools might expect specific system utilities or directory structures.
Implicit links: Third-party tools might expect specific system utilities or directory structures.

Testing is required to ensure two things:

The service spins up with the correct configuration.
The service spins up with the correct configuration.
All runtime dependencies remain intact.
All runtime dependen...