Harden container images and runtime. Image scanning, minimal base, and supply chain security.

On this page

Docker Security Best Practices: Images, Runtime, and Supply Chain

Containers are a big attack surface. These practices reduce risk without slowing delivery.

1. Minimal and Updated Base Images #

Prefer distroless or Alpine; avoid full OS images when possible.
Pin tags by digest and rebuild regularly for CVEs.

dockerfile.dockerfile

FROM golang:1.21-alpine AS builder
# build...
FROM gcr.io/distroless/static-debian12
COPY --from=builder /app /app
ENTRYPOINT ["/app"]

2. Non-Root and Read-Only #

Run as non-root (USER in Dockerfile; runAsNonRoot in Kubernetes).
Use read-only root filesystem where possible; mount writable dirs only when needed.

3. Image Scanning #

Scan in CI (e.g. Trivy, Snyk) and block critical/high CVEs.
Scan at runtime or in registry and alert on new findings.

4. Supply Chain #

Sign images (Cosign, Notary); verify in admission control.
Prefer private registries and pin base image digests.

Making these standard for every image and deployment significantly improves your security posture.

Docker Security Best Practices: Images, Runtime, and Supply Chain

Docker Security Best Practices: Images, Runtime, and Supply Chain

1. Minimal and Updated Base Images #

2. Non-Root and Read-Only #

3. Image Scanning #

4. Supply Chain #

Stay Updated

Systemd Tricks We Use to Keep Services Boring

Best Practices: Kernel and Package Patch Management

More from DevOps

Helm Chart Anti-Patterns We've Stopped Using

Job Queues — Sidekiq, Celery, BullMQ Patterns That Hold Up

Internal Developer Platforms — Backstage in Practice

Helm Chart Anti-Patterns We've Stopped Using

Job Queues — Sidekiq, Celery, BullMQ Patterns That Hold Up

Internal Developer Platforms — Backstage in Practice

Chaos Engineering — What We Actually Run as Game Days

Karpenter — Node Provisioning Patterns at Scale

AI Agent Tool Design — Boundaries and Confirmations

About Kiril urbonas

You might have missed

AI Agents in DevOps: From Copilots to Autonomous Automation in 2025

Prompt Engineering Best Practices: Maximizing LLM Performance

AI Model Deployment Strategies: From Development to Production

Docker Security Best Practices: Images, Runtime, and Supply Chain

1. Minimal and Updated Base Images#

2. Non-Root and Read-Only#

3. Image Scanning#

4. Supply Chain#

Stay Updated

Systemd Tricks We Use to Keep Services Boring

Best Practices: Kernel and Package Patch Management

More from DevOps

Helm Chart Anti-Patterns We've Stopped Using

Job Queues — Sidekiq, Celery, BullMQ Patterns That Hold Up

Internal Developer Platforms — Backstage in Practice

About Kiril urbonas

You might have missed

AI Agents in DevOps: From Copilots to Autonomous Automation in 2025

Prompt Engineering Best Practices: Maximizing LLM Performance

AI Model Deployment Strategies: From Development to Production

1. Minimal and Updated Base Images #

2. Non-Root and Read-Only #

3. Image Scanning #

4. Supply Chain #