Know-How
Container Security — Trivy, Falco
Kontejnery nejsou magicky bezpečné. Zranitelné base image, root user, secrets v env — běžné chyby.
Image scanning
# Trivy
trivy image myapp:latest
trivy image --severity HIGH,CRITICAL nginx:latest
Bezpečný Dockerfile
FROM node:20-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM gcr.io/distroless/nodejs20
COPY --from=build /app /app
USER nonroot
EXPOSE 3000
CMD ["app/server.js"]
Runtime security — Falco
# Falco rule — detekce shell v kontejneru
- rule: Shell in container
condition: container and proc.name in (bash, sh, zsh)
output: "Shell started in container (user=%user.name container=%container.name)"
priority: WARNING
Klíčový takeaway
Distroless/alpine images, non-root user, multi-stage builds. Skenujte images, monitorujte runtime.