Harden container images and runtime. Image scanning, minimal base, and supply chain security.

On this page

Docker Security Best Practices: Images, Runtime, and Supply Chain

Containers are a big attack surface. These practices reduce risk without slowing delivery.

1. Minimal and Updated Base Images #

Prefer distroless or Alpine; avoid full OS images when possible.
Pin tags by digest and rebuild regularly for CVEs.

dockerfile.dockerfile

FROM golang:1.21-alpine AS builder
# build...
FROM gcr.io/distroless/static-debian12
COPY --from=builder /app /app
ENTRYPOINT ["/app"]

2. Non-Root and Read-Only #

Run as non-root (USER in Dockerfile; runAsNonRoot in Kubernetes).
Use read-only root filesystem where possible; mount writable dirs only when needed.

3. Image Scanning #

Scan in CI (e.g. Trivy, Snyk) and block critical/high CVEs.
Scan at runtime or in registry and alert on new findings.

4. Supply Chain #

Sign images (Cosign, Notary); verify in admission control.
Prefer private registries and pin base image digests.

Making these standard for every image and deployment significantly improves your security posture.

Docker Security Best Practices: Images, Runtime, and Supply Chain

Docker Security Best Practices: Images, Runtime, and Supply Chain

1. Minimal and Updated Base Images #

2. Non-Root and Read-Only #

3. Image Scanning #

4. Supply Chain #

Stay Updated

Systemd Tricks We Use to Keep Services Boring

Best Practices: Kernel and Package Patch Management

More from DevOps

Pre-Commit Hooks That Saved Our Repo: 7 Real Examples

OpenTelemetry Collector Pipelines: Real Configs That Survived Production

Blue/Green Deploys for Stateful Services: A Postgres Cutover Story

Pre-Commit Hooks That Saved Our Repo: 7 Real Examples

OpenTelemetry Collector Pipelines: Real Configs That Survived Production

Blue/Green Deploys for Stateful Services: A Postgres Cutover Story

Incident Postmortems That Actually Prevent Repeat Failures

EKS Auto Mode: What Worked, What Broke in Our Migration

Zero Trust on AWS: Lessons From Implementing IAM Identity Center

About Kiril urbonas

You might have missed

AI Agents in DevOps: From Copilots to Autonomous Automation in 2025

AI Model Deployment Strategies: From Development to Production

Prompt Engineering Best Practices: Maximizing LLM Performance

Docker Security Best Practices: Images, Runtime, and Supply Chain

1. Minimal and Updated Base Images#

2. Non-Root and Read-Only#

3. Image Scanning#

4. Supply Chain#

Stay Updated

Systemd Tricks We Use to Keep Services Boring

Best Practices: Kernel and Package Patch Management

More from DevOps

Pre-Commit Hooks That Saved Our Repo: 7 Real Examples

OpenTelemetry Collector Pipelines: Real Configs That Survived Production

Blue/Green Deploys for Stateful Services: A Postgres Cutover Story

About Kiril urbonas

You might have missed

AI Agents in DevOps: From Copilots to Autonomous Automation in 2025

AI Model Deployment Strategies: From Development to Production

Prompt Engineering Best Practices: Maximizing LLM Performance

1. Minimal and Updated Base Images #

2. Non-Root and Read-Only #

3. Image Scanning #

4. Supply Chain #