How would you reduce the attack surface of a container image you're shipping to production?

technical-conceptual · Junior level · cloud-devops-security

What the interviewer is really asking

Check whether the candidate knows the practical image-hardening levers — minimal/distroless base images, vulnerability scanning in CI, pinned and trusted base images, no secrets or build tooling in the final image — rather than treating the image as just a package format.

What to say

What to avoid

Example answers

Strong: I moved our Go service from a full Debian base to a distroless image and a multi-stage build: the builder stage compiled the binary, and the final stage was a minimal runtime with no shell or package manager. That alone dropped the Trivy CVE count dramatically, and there was no /bin/sh for an attacker to drop into if they got code execution.

Weak: I'd use the standard ubuntu:latest base and install whatever I need; the image being a bit big is fine, it just takes longer to download.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.