In this article, we are going to talk about docker best practices from a security perspective, As a developer developing product securely is hygienic practice every developer should follow.
Here are some best practices for Docker security while writing a Dockerfile:
Use a minimal base image: Start with a minimal base image that only contains the necessary components for your application. This helps reduce the attack surface and potential vulnerabilities.
Keep the Docker image up to date: Regularly update the base image and any software packages or libraries used in your application to ensure that known vulnerabilities are patched.
Use official images: Whenever possible, use official Docker images that are maintained by the software vendors themselves. These images are typically more secure and are regularly updated with security patches.
Remove unnecessary packages and files: Remove any packages or files that are not needed in the final image to reduce the attack surface and the size of the image.
Use multi-stage builds: Use multi-stage builds to separate the build environment from the runtime environment. This helps reduce the size of the final image and removes any unnecessary build tools or dependencies.
Set user permissions: Use the
USERinstruction to set a non-root user for the application. This helps reduce the risk of privilege escalation in the event of a security breach.
Use COPY instead of ADD: Use the
COPYinstruction instead of
ADDas it is more secure.
ADDallows for additional functionality like unpacking archives and retrieving files from remote URLs, which can introduce security risks.
Avoid using the
latesttag: Use specific version tags instead of the
latesttag for the base image and any other software packages or libraries used in your application. This helps ensure that the same version of the software is used in the development, testing, and production environments.
Use a trusted registry: Use a trusted registry for storing and distributing Docker images. Public registries may be vulnerable to attacks such as man-in-the-middle attacks or DNS spoofing.
Scan for vulnerabilities: Use a tool to scan the Docker image for vulnerabilities before deploying it in production. There are several open-source and commercial tools available for vulnerability scanning, such as Aqua Security's Trivy, Anchore Engine, and Clair.
By following these best practices, you can help ensure that your Docker images are more secure and less vulnerable to attacks.
In this example, we demonstrate the spring boot sample docker file by following best practices:
# Use a minimal base image FROM adoptopenjdk:11-jre-hotspot-alpine3.13 # Set the working directory WORKDIR /app # Copy the Spring Boot application JAR file to the container COPY target/my-spring-boot-app.jar . # Set non-root user RUN addgroup -S appgroup && adduser -S appuser -G appgroup USER appuser # Set the entrypoint command to run the Spring Boot application ENTRYPOINT ["java", "-jar", "my-spring-boot-app.jar"]
In this example, we're using the
adoptopenjdk:11-jre-hotspot-alpine3.13 base image, which is a minimal image that only includes the Java Runtime Environment. We then set the working directory, copy the Spring Boot application JAR file to the container, and set a non-root user for running the application.
Finally, we set the entry point command to run the Spring Boot application JAR file using the
To build this Docker image, you can run the following command in the same directory as the Dockerfile:
docker build -t my-spring-boot-app .
This will create a Docker image with the tag
my-spring-boot-app. You can then run the Docker container using the following command:
docker run -p 8080:8080 my-spring-boot-app
This will start the Spring Boot application on port 8080 inside the Docker container, which you can access from your host machine using
There are more points but as a developer, you can follow these while developing the docker file at least. For more advanced options you can tools to scan static and dynamic docker image or container.
I hope this helps, you!!
More such articles:
If this article adds any value to you then please clap and comment.