When you first start using Docker Hub to store your images, you will most likely generate insecure Docker images that allow attackers to easily take control of the container, or perhaps the entire host, allowing the attacker to enter your company’s other infrastructure.
Thus, this blog post will go through nine tips for improving the security of your Docker images. Each recommendation outlines the underlying attack vector as well as how to prevent disclosing build secrets, how to run as a non-root user, and how to use the latest dependencies and updates.
Avoid Disclosing Build Secrets
Build secrets are credentials that are only required while creating a Docker image (not at run-time). For example, you could look to include a built version of an application whose source code is closed-source and whose Git repo is password-protected in your picture. You must clone the Git repo (which requires the build secrets, such as SSH access keys to that repo), build the programme from source, and then remove the sources (and secrets).
“Leaking” a build secret means that you inadvertently baked such secrets into one of your image’s layers. This is a problem since anybody who grabs your image can obtain your credentials. The issue stems from the fact that Docker images are constructed layer by layer, in a completely additive manner. Files destroyed in a layer are just reported as deleted, but everyone pulling your image may still access those using sophisticated tools.
Run as a Non-Root User
When someone runs your image with “docker run more parameters> yourImage:yourTag”, the container (including the applications in your ENTRYPOINT/CMD) executes as the root user by default (in the container and on the host). To circumvent this, execute your application under a non-root user, i.e., a user created during the Docker build process.
Use the Most Recent Base Image Build and Update System Packages
If you use a base image that includes the whole toolset of a legitimate Linux distribution (such as Debian, Ubuntu, or Alpine images), you should utilize the package manager to install any available package updates.
As a result, it is important to execute package management commands that update the local package database and install updates in unattended mode, which needs no human participation. Depending on the operating system, the command differs.
Update Third-Party Dependencies Regularly
Third-party dependencies, or software created by others, are used in the programme you produce. This includes the following:
- The Docker image on which your image is based, or
- Third-party software components that you employ in your application, such as those installed through pip/npm/gradle/apt/…
When these dependencies in your image become outdated, the attack surface expands again, because outdated dependencies frequently have exploitable security flaws.
Scan Your Image for Abnormalities
Even if you followed the preceding instructions and ensured that your images always used the most recent third-party dependencies, your images may still be vulnerable (e.g. if a dependency has become abandoned). “Insecure” in this context denotes that one (or more) of the dependents has known security flaws (registered in some CVE database).
Never Use Docker Content Trust for Docker Hub
Docker Content Trust is indeed a feature that guarantees that pulled (base) images are developed and delivered by the organisation that created them. Setting the DOCKER CONTENT TRUST environment variable to “1” whilst executing Docker builds or Docker pull enables the capability. Images that have not been verified by the publisher will be rejected by the Docker daemon.
Scan Your Code for Security Vulnerabilities
Flaws in other people’s code typically cause security vulnerabilities, that is, prominent third-party dependencies that are “lucrative” to hack due to their widespread use. However, there are situations when your own code is to blame. For example, you may have inadvertently added SQL inject capabilities, stack overflow problems, and so on.
To Eliminate Unneeded Files, Use docker-slim
The docker-slim programme takes huge Docker images, briefly runs them, evaluates which files are really utilised in the temporary container, and then creates a new, single-layer Docker image that removes any unneeded files. This has two advantages:
- The image is reduced.
- The image gets more secure when unnecessary tools are removed (e.g., curl, or the package manager).
Use Reliable Base Images
A trustworthy image is one that has been examined by someone (either inside your business or by someone else), for example, with a security level. This is especially critical in highly regulated industries (banking, aerospace, and so forth) with stringent security needs and regulations.
