_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
Language
CS EN
Let's talk

Container Security — Trivy, Falco

27. 01. 2025 1 min read intermediate

Kontejnery nejsou magicky bezpečné. Zranitelné base image, root user, secrets v env — běžné chyby.

Image scanning

Trivy

trivy image myapp:latest trivy image –severity HIGH,CRITICAL nginx:latest

Bezpečný Dockerfile

FROM node:20-alpine AS build WORKDIR /app COPY package*.json ./ RUN npm ci –only=production FROM gcr.io/distroless/nodejs20 COPY –from=build /app /app USER nonroot EXPOSE 3000 CMD [“app/server.js”]

Runtime security — Falco

Falco rule — detekce shell v kontejneru

  • rule: Shell in container condition: container and proc.name in (bash, sh, zsh) output: “Shell started in container (user=%user.name container=%container.name)” priority: WARNING

Key Takeaway

Distroless/alpine images, non-root user, multi-stage builds. Skenujte images, monitorujte runtime.

securitydockercontainerstrivyfalco
Share:

CORE SYSTEMS tým

Stavíme core systémy a AI agenty, které drží provoz. 15 let zkušeností s enterprise IT.

Všechny články

Další know-how

Container Security — Best Practices for Production

Practical best practices for securing containers in production. Image scanning, runtime security, least privilege,...

Docker Security Checklist

Docker security checklist — image scanning, non-root, read-only filesystem.

Image Signing — Cosign a Sigstore

Jak podepisovat container images. Cosign, keyless signing, verify v CI/CD.