I have been using the distroless Docker base images to package my applications, mainly since I want slim and simple image without unnecessary cruft. However, they are based on Debian, and Debian is unfortunately not so diligent to fix serious security issues as other distributions like Ubuntu or Alpine. If you scan a distroless image with the grype tool, you get this result: $ grype gcr.io/distroless/java17-debian11 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libharfbuzz0b 2.