The question asks for two items to incorporate into building a secure container image. Based on container security best practices and the community consensus (with BC receiving 100% agreement and high upvotes):

• B: Package a single app as a container is optimal because it follows the principle of least functionality, reducing the attack surface by isolating applications.
• C: Remove any unnecessary tools not needed by the app is crucial for minimizing vulnerabilities, as extraneous software can introduce security risks.

Other options are less suitable:

• A: Ensure that the app does not run as PID 1 is incorrect; Google's best practices state that running as PID 1 is acceptable if signal handlers are properly implemented, and it is not a primary security measure for image builds.
• D: Use public container images as a base image is risky due to potential vulnerabilities in public images; trusted or minimal base images are preferred.
• E: Use many container image layers to hide sensitive information is ineffective and against best practices, as layers are immutable and sensitive data may still be accessible in earlier layers.