diff --git a/CHANGES.md b/CHANGES.md
index c63464a6e01e0..bb1dd5a117a40 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -82,6 +82,7 @@
 
 ## Security Fixes
 * Fixed (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Java/Python/Go) ([#X](https://github.com/apache/beam/issues/X)).
+* Go SDK base container image moved to distroless/base-nossl-debian12, reducing vulnerable container surface to kernel and glibc ([#30011](https://github.com/apache/beam/pull/30011)).
 
 ## Known Issues
 
diff --git a/sdks/go/container/Dockerfile b/sdks/go/container/Dockerfile
index 7f1884cfb719d..b3b2fbbec3a97 100644
--- a/sdks/go/container/Dockerfile
+++ b/sdks/go/container/Dockerfile
@@ -16,20 +16,12 @@
 # limitations under the License.
 ###############################################################################
 
-FROM debian:bookworm
+FROM gcr.io/distroless/base-nossl-debian12:latest
 LABEL Author "Apache Beam <dev@beam.apache.org>"
 
 ARG TARGETOS
 ARG TARGETARCH
 
-ARG pull_licenses
-
-RUN apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get install -y \
-        ca-certificates \
-        && \
-    rm -rf /var/lib/apt/lists/*
-
 ADD target/${TARGETOS}_${TARGETARCH}/boot /opt/apache/beam/
 
 COPY target/LICENSE /opt/apache/beam/
@@ -37,9 +29,4 @@ COPY target/NOTICE /opt/apache/beam/
 
 # Add Go licenses.
 COPY target/go-licenses/* /opt/apache/beam/third_party_licenses/golang/
-RUN if [ "$pull_licenses" = "false" ] ; then \
-    # Remove above golang license and dir if pull licenses false
-    rm -rf /opt/apache/beam/third_party_licenses ; \
-   fi
-
 ENTRYPOINT ["/opt/apache/beam/boot"]