Distroless images contain only the application and its runtime dependencies. They do not contain package managers, shells or any other programs we would expect to find in a standard Linux distribution.

Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.

Read more here: https://github.com/GoogleContainerTools/distroless

Google Distroless Images

Overview

Google provides distroless base images for most of the leading programming languages and platforms.

Unified Agent Scan

In order to scan Google Distroless images, simply run the Unified Agent in Docker mode.

CentOS/RPM-based Dependencies

Overview

WhiteSource identifies CentOS and RPM-based dependencies by checking which packages reside in the /var/lib/yum/yumdb/ folder. Therefore, in order for WhiteSource to support scanning containers created from distroless images which contain CentOS or RPM-based dependencies, the dependencies must reside in an identical format within the /var/lib/yum/yumdb/ folder of the container created from the distroless image as well.

Step by Step Guide

In order for WhiteSource to support the scanning of your distroless images with CentOS-based dependencies, follow the steps detailed below and add any necessary commands to your Dockerfile. Each step contains a snippet from an example Dockerfile which may need to be modified to match your specific environment.
NOTE: The <dependency_list> parameter in steps 3 and 4 should be replaced with a space-delimited list of dependencies.

...