Harden container images and runtime. Image scanning, minimal base, and supply chain security.

On this page

Docker Security Best Practices: Images, Runtime, and Supply Chain

Containers are a big attack surface. These practices reduce risk without slowing delivery.

1. Minimal and Updated Base Images #

Prefer distroless or Alpine; avoid full OS images when possible.
Pin tags by digest and rebuild regularly for CVEs.

dockerfile.dockerfile

FROM golang:1.21-alpine AS builder
# build...
FROM gcr.io/distroless/static-debian12
COPY --from=builder /app /app
ENTRYPOINT ["/app"]

2. Non-Root and Read-Only #

Run as non-root (USER in Dockerfile; runAsNonRoot in Kubernetes).
Use read-only root filesystem where possible; mount writable dirs only when needed.

3. Image Scanning #

Scan in CI (e.g. Trivy, Snyk) and block critical/high CVEs.
Scan at runtime or in registry and alert on new findings.

4. Supply Chain #

Sign images (Cosign, Notary); verify in admission control.
Prefer private registries and pin base image digests.

Making these standard for every image and deployment significantly improves your security posture.

Docker Security Best Practices: Images, Runtime, and Supply Chain

Docker Security Best Practices: Images, Runtime, and Supply Chain

1. Minimal and Updated Base Images #

2. Non-Root and Read-Only #

3. Image Scanning #

4. Supply Chain #

Stay Updated

Systemd Tricks We Use to Keep Services Boring

Best Practices: Kernel and Package Patch Management

More from DevOps

Pipeline Observability — Why CI Failures Don't Trigger Alerts (And Should)

Burn-Rate Alerting — The SLO Discipline That Prevents Alert Fatigue

Supply Chain Security — SBOMs, Attestation, and What to Actually Verify

Pipeline Observability — Why CI Failures Don't Trigger Alerts (And Should)

Burn-Rate Alerting — The SLO Discipline That Prevents Alert Fatigue

Supply Chain Security — SBOMs, Attestation, and What to Actually Verify

Argo Rollouts — Progressive Delivery Beyond Argo CD

Container Resource Limits — What They Actually Do at the Kernel Level

Kubernetes Resource Requests — Right-Sizing Without Guessing

About Kiril Urbonas

You might have missed

AI Agents in DevOps: From Copilots to Autonomous Automation in 2025

Prompt Engineering Best Practices: Maximizing LLM Performance

Linux Performance Tuning for Containers and Kubernetes Nodes

Docker Security Best Practices: Images, Runtime, and Supply Chain

1. Minimal and Updated Base Images#

2. Non-Root and Read-Only#

3. Image Scanning#

4. Supply Chain#

Stay Updated

Systemd Tricks We Use to Keep Services Boring

Best Practices: Kernel and Package Patch Management

More from DevOps

Pipeline Observability — Why CI Failures Don't Trigger Alerts (And Should)

Burn-Rate Alerting — The SLO Discipline That Prevents Alert Fatigue

Supply Chain Security — SBOMs, Attestation, and What to Actually Verify

About Kiril Urbonas

You might have missed

AI Agents in DevOps: From Copilots to Autonomous Automation in 2025

Prompt Engineering Best Practices: Maximizing LLM Performance

Linux Performance Tuning for Containers and Kubernetes Nodes

1. Minimal and Updated Base Images #

2. Non-Root and Read-Only #

3. Image Scanning #

4. Supply Chain #