Harden container images and runtime. Image scanning, minimal base, and supply chain security.

On this page

Docker Security Best Practices: Images, Runtime, and Supply Chain

Containers are a big attack surface. These practices reduce risk without slowing delivery.

1. Minimal and Updated Base Images #

Prefer distroless or Alpine; avoid full OS images when possible.
Pin tags by digest and rebuild regularly for CVEs.

dockerfile.dockerfile

FROM golang:1.21-alpine AS builder
# build...
FROM gcr.io/distroless/static-debian12
COPY --from=builder /app /app
ENTRYPOINT ["/app"]

2. Non-Root and Read-Only #

Run as non-root (USER in Dockerfile; runAsNonRoot in Kubernetes).
Use read-only root filesystem where possible; mount writable dirs only when needed.

3. Image Scanning #

Scan in CI (e.g. Trivy, Snyk) and block critical/high CVEs.
Scan at runtime or in registry and alert on new findings.

4. Supply Chain #

Sign images (Cosign, Notary); verify in admission control.
Prefer private registries and pin base image digests.

Making these standard for every image and deployment significantly improves your security posture.

Docker Security Best Practices: Images, Runtime, and Supply Chain

Docker Security Best Practices: Images, Runtime, and Supply Chain

1. Minimal and Updated Base Images #

2. Non-Root and Read-Only #

3. Image Scanning #

4. Supply Chain #

Stay Updated

Systemd Tricks We Use to Keep Services Boring

Best Practices: Kernel and Package Patch Management

More from DevOps

Incident Postmortems That Actually Prevent Repeat Failures

How We Cut Our Docker Image Size by 80% and Why It Matters

Artifact Promotion Instead of Rebuilds: The Release Control Pattern That Stopped Drift

Incident Postmortems That Actually Prevent Repeat Failures

How We Cut Our Docker Image Size by 80% and Why It Matters

Artifact Promotion Instead of Rebuilds: The Release Control Pattern That Stopped Drift

Blue-Green Deployment Guardrails in Kubernetes: Lessons from a Failed Friday Rollout

Monitoring That Actually Helps On-Call: Alerts, Dashboards, and Runbooks

RDS Restore Drills for Busy Teams: The Recovery Workflow That Surfaced Real Gaps

About Kiril urbonas

Docker Security Best Practices: Images, Runtime, and Supply Chain

1. Minimal and Updated Base Images#

2. Non-Root and Read-Only#

3. Image Scanning#

4. Supply Chain#

Stay Updated

Systemd Tricks We Use to Keep Services Boring

Best Practices: Kernel and Package Patch Management

More from DevOps

Incident Postmortems That Actually Prevent Repeat Failures

How We Cut Our Docker Image Size by 80% and Why It Matters

Artifact Promotion Instead of Rebuilds: The Release Control Pattern That Stopped Drift

About Kiril urbonas

1. Minimal and Updated Base Images #

2. Non-Root and Read-Only #

3. Image Scanning #

4. Supply Chain #