---Hardened Containerization via scratch | Panovista

Hardened Containerization via SCRATCH

Many enterprise container deployments are plagued by a massive, hidden attack surface: Base Image Vulnerabilities. When an application is bundled into a generic container base (like Ubuntu, Debian, or even Alpine Linux), it inherits hundreds of operating system utilities, shell binaries, and package managers that the application never actually uses.

If an AI agent suffers a severe prompt injection attack that attempts to achieve Remote Code Execution (RCE) on the proxy layer, attackers typically exploit these unnecessary OS tools (like curl, bash, or tar) to perform privilege escalation or execute lateral movement.

Panovista eliminates this entire vector by compiling its Go binary to run inside an absolute minimalist environment: an empty scratch container image.


What is a “scratch” Container?

In Docker, scratch is an explicitly empty image. It contains zero files, zero folders, zero package managers, and absolutely no shell environment.

Our build pipeline compiles the Panovista proxy code down into a single, statically-linked, self-executing Go binary. We then drop that solitary file directly into the empty scratch frame alongside the root SSL certificates required for outbound TLS handshakes.

The Panovista Architecture

# Sneak peek at the Panovista deployment image layout
FROM scratch

# Inject only the compiled binary and root SSL certs for TLS handshakes
COPY panovista-proxy /panovista-proxy
COPY ca-certificates.crt /etc/ssl/certs/

# Expose the local MCP routing port
EXPOSE 4321

ENTRYPOINT ["/panovista-proxy"]

Security Benefits of an Empty Base Image

Deploying an AI firewall should never introduce new vulnerabilities into your cluster. By utilizing a scratch base, Panovista fundamentally alters the security posture of your deployment:

The Attack Surface Comparison

Security Vector Standard Alpine/Ubuntu Image Panovista scratch Image
Shell Access (/bin/sh) Present (Vulnerable to RCE payloads) Non-existent (RCE payloads fail instantly)
Package Managers (apt) Present (Attackers can download malware) Non-existent (No way to install tools)
Vulnerability Scanners Dozens of upstream OS CVEs Zero Findings (No OS to scan)
File System Mutable by default Read-Only / Stateless

Even if an attacker somehow bypasses the Model Context Protocol (MCP) authentication layer and attempts to break out of the Panovista sandbox, they are trapped in a void. They cannot download an external exploit, they cannot read sensitive environment variables, and they cannot launch a reverse shell.