Kontejnery nejsou magicky bezpečné. Zranitelné base image, root user, secrets v env — běžné chyby.
Image scanning¶
Trivy¶
trivy image myapp:latest trivy image –severity HIGH,CRITICAL nginx:latest
Bezpečný Dockerfile¶
FROM node:20-alpine AS build WORKDIR /app COPY package*.json ./ RUN npm ci –only=production FROM gcr.io/distroless/nodejs20 COPY –from=build /app /app USER nonroot EXPOSE 3000 CMD [“app/server.js”]
Runtime security — Falco¶
Falco rule — detekce shell v kontejneru¶
- rule: Shell in container condition: container and proc.name in (bash, sh, zsh) output: “Shell started in container (user=%user.name container=%container.name)” priority: WARNING
Klíčový takeaway¶
Distroless/alpine images, non-root user, multi-stage builds. Skenujte images, monitorujte runtime.
securitydockercontainerstrivyfalco