Security scan fails on distroless image due to error


You encounter the compliance issue described below when scanning the image against a 3rd-party security tool:

"ca-certificates must be root owned, readonly and non-executable"

Distroless images contain only the application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution. So you could not use chmod commands to update the /etc/ssl/certs/ca-certitifcates.crt  (i.e. chmod 4444 /etc/ssl/certs/ca-certificates.crt) to resolve these checks.


  • Distroless images
  • Google Kubernetes Engine system workloads


It is a standard that the /etc/ssl/certs/ca-certificates.crt need to be managed by the root user (write access) with 644 mode, for example from debian:10 and ubuntu:latest images.

For specific security compliance, the solution is to leverage new docker multi-stage build/copy features and use another image, then use the chmod 444 command on the proper file, override the existing image to build the new baseline to add additional customer application. 

Here is the Dockerfile example that update /etc/ssl/certs/ca-certificates.crt file with read-only permissions.

FROM as origin
FROM debian:10 as shelltmp

COPY --from=origin  /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.crt
RUN chmod 444 /tmp/ca-certificates.crt

COPY --from=shelltmp /tmp/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt