What is Docker Security? Beginner’s Guide

Here at HeyJobs, we use Docker for running our microservices on AWS Cloud. Running an application as a container has its own benefits like portability, performance, agility, isolation, and scalability.

Deploying these services as the container is much easier. We need to ask ourselves a few hard questions so that in the future we don't end up having Security issues.

1. How are we making sure that these containers are secure enough for the production environment ?.
2. Are your Dockerfiles written following all the security best practices?.
3. Tested container images for vulnerabilities ?.
4. Have we optimized our docker images ?.

Let's go step by step and discuss these topics in detail.

What is Dockerfile ?.

A Dockerfile is a text document that contains all the commands a user can call on the command line to assemble an image.

Example of a typical Dockerfile (nginx):

https://github.com/dockerfile/nginx/blob/master/Dockerfile

Why should we follow security best practices for Dockerfiles?.

• Dockerfiles are a blueprint for building your Docker container images.
• Dockerfiles are a codified version of your application and infrastructure.
• Dockerfiles are among the key components in the entire supply chain security.
• Dockerfiles need to be part of your security posture to maintain the highest level of security comprehensively.
• Insecure Dockerfiles can cause serious security issues.

Some best practices for Dockerfiles are as below:

• Start with a small version of the image.
• Create ephemeral containers.
• Exclude files from the image with .dockerignore — it works similarly to .gitignore in Git.
• Use multi-stage builds to reduce the image size and its attack surface.
• Create multi-line arguments in a structured way, and reduce the image layers.
• Minimize the number of layers by grouping similar commands. For example: RUN apt-get update && apt-get install -y curl.
• Leverage the build cache and remove the package manager cache: rm -rf /var/lib/apt/lists/* .
• Create your own base image like a golden image.

The Docker community also recommends a few other best practices :

• Use the COPY instruction to copy only the necessary files. Avoid executing instructions such as COPY . . .
• Only install what you need. For example, use the --no-install-recommendsoption.
• Use a specific image tag; avoid the latest tag.
• Set non-root user and group.
• Use only trusted and official base images.
• Don’t store secrets or sensitive information in Dockerfiles.
• Don’t install SSH or similar services that may expose your containers.

Till now we have seen a number of standard best practices to follow. Now let’s see how we can apply it in our DevOps workflow.

Use tools and techniques to validate the same

1. Hadolint — Haskell Dockerfile Linter

A smarter Dockerfile linter that helps you build best practice Docker images. The linter parses the Dockerfile into an AST and performs rules on top of the AST. It stands on the shoulders of ShellCheck to lint the Bash code inside RUN instructions.

https://github.com/hadolint/hadolint

It is available on Github but it makes more sense to integrate these linters in your deployment CI/CD pipelines.

Hadolint linter check against Dockerfile on local

2. Dockle — Docker image linter for security

It performs multiple CIS benchmark checks, as well as more generic checks that are considered recommended best practices.

GitHub - goodwithtech/dockle: Container Image Linter for Security, Helping build the Best-Practice…

CIS Benchmark comparison

Checks for Dockerfiles

3. dive — Explore each layer in a Docker image

It enables exploring a Docker image and layer contents and discovering ways to shrink the size of your Docker/OCI image. Find out more about the project on https://github.com/wagoodman/dive.

Dive offers a rich exploratory feature set. For example, it can:

• Show broken Docker image contents by layer.
• Indicate what’s changed in each layer.
• Estimate image efficiency.
• Be included in CI integration.

https://github.com/wagoodman/dive

4. IDE linters and plugins

We usually use IDEs for writing Dockerfiles; there are some IDE linters and plugins that help us enforce best practices and identify potential security issues in the early stages of our SDLC lifecycle.

For example, this is a Docker linter plugin for Microsoft Visual Studio Code.

Conclusion

We looked at security best practices that we should follow while writing Dockeriles and we explore a few tools and techniques that we can integrate into our CI/CD pipeline and development workflows for quick turnaround.

Resources and references

• Dockerfile Best Practices talk at dockercon 19
• https://docs.docker.com/develop/develop-images/dockerfile_best-practices
• https://github.com/hexops/dockerfile
• https://engineering.bitnami.com/articles/best-practices-writing-a-dockerfile.html
• https://snyk.io/blog/10-docker-image-security-best-practices
• https://github.com/goodwithtech/dockle
• https://github.com/hadolint/hadolint
• https://www.conftest.dev
• https://github.com/madhuakula/docker-security-checker

Seems cool, exciting, and fun stuff? Then Join our team at HeyJobs!

Do you like building things and working at scale while we are in hypergrowth? Interested in joining HeyJobs? Check out our open positions here.