DevOps Intermediate
Docker Security Best Practices¶
DockerSecurityContainerizationDevSecOps 5 min read
Docker container security. Image scanning, rootless containers, read-only filesystem and runtime security.
Image Security¶
- Use minimal base images (Alpine, Distroless)
- Pin versions:
node:20.11.1-alpine3.19(not:latest) - Scan images:
trivy image myapp:latest - Multi-stage builds — no build tools in production
- Sign images: Cosign / Notary
Rootless Containers¶
# Dockerfile
FROM node:20-alpine
# Create a non-root user
RUN addgroup -g 1001 -S app && adduser -S app -u 1001 -G app
WORKDIR /app
COPY --chown=app:app . .
# Switch to non-root
USER app
EXPOSE 3000
CMD ["node", "server.js"]
# Kubernetes
securityContext:
runAsNonRoot: true
runAsUser: 1001
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
Runtime Security¶
- Read-only filesystem:
readOnlyRootFilesystem: true - Drop capabilities:
capabilities: { drop: [ALL] } - Seccomp profiles: restrict syscalls
- AppArmor/SELinux: mandatory access control
- Resource limits: always set CPU and memory limits
Summary¶
Docker security is a layered defense: minimal image, non-root user, read-only filesystem and runtime restrictions. Scan in CI, enforce in K8s.
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.