Switch base image to distroless with static build to reduce vulnerabilities #1187
Description
Proposal
Currently, the postgres_exporter image is based on a standard Linux distribution (Debian/Alpine), which often results in a large number of reported vulnerabilities during container scans. The proposal is to switch the base image to a distroless
variant and compiling the exporter statically with CGO=0.
The distroless images contain far fewer packages, minimizing vulnerability exposure. Even if the installed package can not be exploited, they raise false positives that require documentation/exceptions which create toil. The image could be tagged as a -distroless variant if there are concerns about backward compatibility with tools like kubectl exec.
Use case
In regulated environments (e.g. financial services, FedRAMP, or healthcare), container images are scanned for CVEs before deployment. The current postgres_exporter images frequently trigger policy violations due to vulnerabilities in the base OS packages, even though they are unrelated to the exporter itself.
Switching to a statically compiled binary in a distroless image would allow teams to deploy postgres_exporter without requiring custom image rebuilds or vulnerability suppression workflows, making adoption much smoother and more secure.