Docker Security Best Practices

Security is a critical aspect when working with Docker containers. Since containers share the host OS kernel, misconfigurations can lead to vulnerabilities. In this lesson by Online Learner, you will learn how to secure Docker containers and images.

1. Use Official and Trusted Images

• Always use official images from Docker Hub.
• Avoid unknown or unverified images.
• Regularly update images to patch vulnerabilities.

2. Keep Images Small

• Use lightweight base images like alpine.
• Remove unnecessary packages and dependencies.
• Smaller images reduce attack surface.

3. Do Not Run Containers as Root

FROM node:18-alpine

# Create non-root user
RUN addgroup app && adduser -S -G app app

USER app

Running containers as non-root improves security.

4. Use .dockerignore File

Prevent sensitive files from being copied into images:

.git
node_modules
.env
logs

5. Limit Container Resources

docker run -d 
  --memory=512m 
  --cpus="1.0" 
  nginx

This prevents resource abuse and DoS attacks.

6. Use Read-Only File System

docker run --read-only nginx

7. Scan Images for Vulnerabilities

docker scan my-image

Use tools like Docker Scout, Trivy, or Clair.

8. Secure Secrets Management

• Do not hardcode secrets in Dockerfile.
• Use environment variables or secret managers.
• Use Docker Swarm secrets or cloud secret services.

9. Use Network Security

• Use custom networks instead of default bridge.
• Limit exposed ports using -p.
• Do not expose unnecessary services.

10. Keep Docker Updated

• Regularly update Docker engine and dependencies.
• Apply security patches frequently.

Summary

• Use trusted images and keep them updated.
• Avoid running containers as root.
• Limit resources and use read-only file systems.
• Secure secrets and scan images regularly.