Dockerize Go: Scratch Images, Zero Dependencies, Tiny Attack Surface

Go produces statically linked binaries, which makes it the ideal language for minimal containers. Yet many teams still ship Go apps on golang:latest — a 1.2 GB image packed with compilers and tools you will never use in production.

A properly containerized Go service runs on scratch or gcr.io/distroless/static, weighs 10-20 MB, has no shell to exploit, and starts in milliseconds. The security audit writes itself.

Two-stage build optimized for static compilation:

• Build stage: FROM golang:1.22-alpine AS builder — sets CGO_ENABLED=0 GOOS=linux GOARCH=amd64, runs go mod download first for layer caching, then go build -ldflags='-s -w' -o /app ./cmd/server. The -s -w flags strip debug info, shaving 30% off binary size.
• Runtime stage: FROM scratch — copies the binary, a /etc/passwd file for the non-root user, and CA certificates from the builder (COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/). Sets USER 65534 (nobody).

If the app needs timezone data or DNS resolution, we swap to gcr.io/distroless/static-debian12 instead of scratch. Compose config includes a health check via the app's /healthz endpoint using a sidecar or Docker's built-in HEALTHCHECK with a tiny static binary.

• Multi-stage Dockerfile producing 10-20 MB images
• Scratch or distroless base — zero OS-level CVEs
• docker-compose.yml with health checks and restart policies
• Build caching with go mod download layer separation
• Makefile targets for local build, test, and container build
• CI pipeline with Go module cache and Docker layer cache