Question 11
Domain 5: Supply Chain SecurityA security team wants to minimize a container image's attack surface for a production service while still including only the application and its runtime dependencies. Which base image approach best fits this goal?
Correct answer: A
Explanation
Distroless images are designed to reduce image footprint and attack surface by including only the application and required runtime components, unlike fuller distribution-based images. Scratch is even more minimal, but it provides no runtime components at all. — cks_syllabus.txt
Why each option is right or wrong
A. Use a distroless base image that contains the application and required runtime dependencies only.
The stated goal is to keep only the application and its runtime dependencies while minimizing attack surface. Among the listed base image approaches, distroless most directly matches that requirement because it excludes a full distribution userland but is not as empty as scratch.
B. Use a scratch base image because it includes a minimal Linux userland for production workloads.
Scratch provides an empty base image, not a minimal Linux userland with runtime components.
C. Use an Ubuntu base image because a general-purpose distribution is the smallest secure production option.
Ubuntu is a general-purpose distribution base, not the smallest option for minimizing image footprint.
D. Use an Alpine base image because it is equivalent to distroless and excludes runtime packages by design.
Alpine is a small distribution base image, not equivalent to distroless and not limited to app-only runtime contents.