In this article we will focus on the Docker container security aspects related to building a Docker image, reducing the security vulnerabilities count introduced by Docker base images as well as Dockerfile security best practices. By Liran Tal and Omer Levi Hevroni.
Docker security refers to the build, runtime, and orchestration aspects of Docker containers. It includes the Dockerfile security aspects of Docker base images, as well as the Docker container security runtime aspects—such as user privileges, Docker daemon, proper CPU controls for a container, and further concerns around the orchestration of Docker containers at scale.
Let’s get started with our list of 10 Docker security best practices:
- Prefer minimal base images
- Least privileged user
- Sign and verify images to mitigate MITM attacks
- Find, fix and monitor for open source vulnerabilities
- Don’t leak sensitive information to Docker images
- Using multi-stage builds
- Using Docker secret commands
- Use fixed tags for immutability
- Use COPY instead of ADD
Docker defaults to running containers using the root user. When that namespace is then mapped to the root user in the running container, it means that the container potentially has root access on the Docker host.
We liked: Use an alpha feature in Docker for managing secrets to mount sensitive files without caching them. Excellent!
[Read More]