Docker Security Basics

Running containers securely is critical, especially in production. This chapter introduces fundamental security practices to protect your applications and host.

1. Do Not Run as Root

Containers run as root by default. A compromised root container could harm the host. Create a non‑root user in your Dockerfile:

FROM node:18-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser

2. Keep Images Minimal

Smaller images have fewer vulnerabilities. Avoid including package managers (like apt) in production images if not needed.

3. Scan Images for Vulnerabilities

Use tools like Docker Scout or Trivy to scan images:

docker scout cves myimage:latest

4. Use Secrets Management, Not Environment Variables

Environment variables are visible in docker inspect and logs. Use Docker secrets (in Swarm) or external secret stores (like HashiCorp Vault) for sensitive data.

5. Limit Container Capabilities

Drop unnecessary Linux capabilities. For example, run with --cap-drop=ALL and add only what's needed:

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp

6. Use Read‑Only Root Filesystem

Make the container's root filesystem read‑only to prevent tampering:

docker run --read-only myapp

If the app needs to write, mount a volume for writable directories.

7. Keep Docker Engine Updated

Regularly update Docker to get security patches.

Two Minute Drill

Run containers as non‑root user.
Scan images for vulnerabilities.
Drop unnecessary capabilities and use read‑only root.
Avoid storing secrets in environment variables.
Keep Docker updated and use minimal base images.

Need more clarification?

Drop us an email at career@quipoinfotech.com

Welcome to Quipoin

Quipoin Menu

Docker Security Basics

Need more clarification?