Docker Security Essentials
Secure Docker containers: run as non-root, use read-only filesystems, limit capabilities, scan images, and follow security best practices.
Container Lifecycle
Detailed Explanation
Container Security Best Practices
Run as Non-Root
# In Dockerfile
RUN addgroup -S app && adduser -S app -G app
USER app
# Override at runtime
docker run -u 1000:1000 my-app
Read-Only Filesystem
Prevent containers from writing to the filesystem:
docker run --read-only my-app
# With writable temp directories
docker run --read-only --tmpfs /tmp --tmpfs /run my-app
Drop Capabilities
Linux capabilities give containers specific privileges. Drop all and add only what you need:
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE my-app
No New Privileges
Prevent privilege escalation inside the container:
docker run --security-opt=no-new-privileges my-app
Resource Limits
Always set memory and CPU limits:
docker run --memory=256m --cpus=0.5 my-app
Network Security
# Disable inter-container communication on default bridge
docker network create --opt com.docker.network.bridge.enable_icc=false isolated
# Use internal networks for backend services
docker network create --internal backend
Image Scanning
# Docker Scout (built-in)
docker scout cves my-app:latest
# Scan during build
docker build --sbom=true --provenance=true -t my-app .
Secrets Management
# Build secrets (not in image layers)
docker build --secret id=api_key,src=./api_key.txt .
# Runtime secrets via environment (acceptable for non-sensitive)
docker run -e LOG_LEVEL=debug my-app
# For sensitive data, use Docker secrets (Swarm) or mount files
docker run -v ./secrets/db_password:/run/secrets/db_password:ro my-app
Use Case
Hardening production container deployments, meeting compliance requirements for container security, reducing the attack surface of containerized applications, and implementing defense-in-depth strategies.