Security Best Practices in Docker Containers

With the growing adoption of public cloud services, Docker containers have become a popular way to develop and deploy new applications. Numbers are backing up the fact that Docker adaptation is growing: Docker Index reported 11 billion pulls in July 2020.¹ Docker provides developers an easy way to package, deploy and run their applications in a consistent manner. While the numbers prove the adoption, let’s look at best practices to leverage your container environment while keeping it secure.

Do not run as root

By default, Docker executes the container with the root user. If your service doesn’t have any reason to have root privilege, it is recommended to create a non-root user to minimize exposure. You can use the USER instruction in your Dockerfile. If the specific user doesn’t exist, don’t forget to create that user inside Dockerfile.

For example in an Ubuntu image, you can create a non-root user and execute as the user with the following:

RUN useradd -rm -d /home/nonroot -s /bin/bash -g root -G sudo -u 1001 nonroot 
USER nonroot 
WORKDIR /home/nonroot

Don’t trust your container registry

Trust is a real concern when pulling an image from a registry. To verify images before pulling, set the DOCKER_CONTENT_TRUST environment variable to 1. This way, users only work with signed images. Organizations can sign and verify their images during their release process.

$ export DOCKER_CONTENT_TRUST=1

Minimize images

While minimizing images reduces the size and enables faster deploy times, containers also have a smaller attack surface by limiting the exposure. Don’t forget to use multi-stage builds and remove package manager cache to reduce the size further.

Use trusted images

Docker Hub hosts over 7 million repositories.² With that many options, it is easy to pull a poorly written base image. To avoid unwanted consequences, it is important to use trusted secure images.

Enforce image scanning

Unfortunately, there are widespread vulnerabilities when it comes to using pre-built Docker images. Using image scanning tools is highly recommended to quickly identify and fix vulnerabilities. Implement a policy to enforce frequent image scanning. With tools like Clair or Snyk you can integrate the image scanning process in your CI/CD pipeline.

You can also leverage Amazon ECR image scanning to scan your Docker container images against Common Vulnerabilities and Exposures (CVEs). You can check our previous blog post on Container Image Scanning with Amazon ECR to learn how to configure, assess and store image findings on AWS easily.

Use tagging

Avoid using the latest tag for your base image. With the changes on the image over time, using the latest tag might cause inconsistencies and break changes in your environment. Use the most specific version possible for the image. Also do not forget to use fixed versions while installing packages with package managers to produce deterministic builds.

1 & 2: https://www.docker.com/blog/docker-index-dramatic-growth-in-docker-usage-affirms-the-continued-rising-power-of-developers