A Python image contains the CPython runtime, the standard library, pip/wheel tooling, preinstalled SSL/TLS root certificates and locale data, and the shared libraries required for compiled extension modules (glibc or musl variants). Images are commonly delivered with a runtime layer plus optional build-stage artifacts (compilers, headers) for building wheels.
In containerized production use it serves as the runtime for WSGI/ASGI servers, task queues, batch workers, data pipelines, ML inference services and CLI utilities. Typical practices include running containers as non-root, using multi-stage builds to separate build-time dependencies, and pinning image digests for reproducible deployments.
A Python hardened image is evaluated in regulated or security-sensitive environments because it reduces attack surface, removes unnecessary tooling, applies patched libraries and runtime mitigations, and supports stricter provenance, signing and vulnerability-scanning requirements.
The Minimus Python image differs from typical Python container images by being built from scratch with only the essential runtime components and a minimal OS layer, which reduces the overall footprint and attack surface. Because it includes fewer packages and services, it is faster to pull and start, uses less disk and memory, and is easier to maintain and audit for engineers responsible for runtime security.
The Minimus hardened Python image is additionally configured to industry hardening standards—such as NIST SP 800-190 and CIS Benchmarks—applying secure defaults, strict permissioning, and a streamlined package set to limit exploitable vectors. These images emphasize reproducible builds, minimal runtime privileges, and maintenance practices (patching and CVE triage) that align with enterprise security requirements.
A container image with the Python runtime and typical tooling, ready to run Python applications without manual setup.
Official images are published by the Python community and Docker, with variants such as python:3.11-slim or python:3.11-alpine that balance size and capabilities. You can extend them with your application code in a Dockerfile.
For production workflows, consider a hardened Python image that minimizes surface area, reduces packages, and enables security scanning and non-root execution.
FROM python:3.11-slim
WORKDIR /app
COPY . .
RUN pip install -r requirements.txt
CMD ["python","app.py"]Pillow is a Python library for opening, manipulating, and saving many image file formats. It adds image handling capabilities to Python, enabling rich image workflows such as resizing, cropping, filtering, drawing, and format conversion.
In container deployments, Pillow is commonly installed in a Python environment to perform image processing at runtime or during builds, for tasks like generating thumbnails or processing user uploads. Use a hardened Python image for security-conscious deployments.
from PIL import Image
Image.open("input.jpg").resize((300, 300)).save("output.jpg")In Python you don't directly 'code' a container image; you build one from a Dockerfile or via the Docker SDK. A typical workflow is to start from a Python-based image, install dependencies, and package your app.
from docker import from_env
client = from_env()
image, logs = client.images.build(path=".", tag="myapp:latest")container = client.containers.run("myapp:latest", detach=True)For a hardened Python image, use a minimal base, a non-root user, and clean build artifacts.