Docker Image Security: Get it in Your Sights

For organizations and individuals alike, the adoption of Docker is increasing exponentially with no signs of slowing down. Why is this? Because Docker provides a whole host of features that make it easy to create, deploy, and manage your applications. This useful technology is especially essential as your organization scales and your infrastructure grows. 

Want to jump right in and explore everything about Docker? Try the Cloud Academy Learning Path Docker in DepthYou’ll get courses, labs, quizzes, and exams — everything you need in one place minus the coffee.

Docker in Depth learning path

Technically speaking, Docker is a set of PaaS (Platform-as-a-Service) products that uses OS-level virtualization for delivering software in containers that communicate with one another, but when these container ecosystems aren’t designed cautiously and managed with care, they can lead to some pretty risky security issues.

While Docker offers a wide range of benefits, the security challenges that come with containerized environments shouldn’t be overlooked. To help you increase the security standards of your Docker-based containerized environments, we’ve outlined our best practices to maintain Docker image security below.

Docker Image Security Best Practices

Always Verify Images Prior to Using

By default, Docker allows you to pull Docker images without validating their authenticity first. This exposes you to Docker images with unverified author and origin details. To avoid this, use the following command to temporarily enable Docker Content Trust:

export DOCKER_CONTENT_TRUST=1

Always ensure that the image you are pulling is published by a reliable publisher and that no third parties have modified it. Docker-certified images are provided by trusted partners and curated by the official Docker Hub, and using certified images is critical when considering the code in your production environment. To add another layer of protection, Dockers allows images to be signed using Docker Notary. Notary also verifies the image signature and prevents an image from running if it has an invalid signature.

Efficiently Handle the Container Life cycle

The way a user decides to handle the container life cycle greatly determines the Docker image security. While updating a container, it is recommended to not only to check the updated layer for security, but to also test the entire stack.

Establish a Thorough and Standardized Access Management Solution

When you have a strong access management solution for your Docker implementation — and really, across your cloud infrastructure — your containers can (and should) operate with minimal privileges and access in order to reduce risk. Organizations can use Role-Based Access Control (RBAC) and Active Directory solutions to manage permissions for the entire organization easily and effectively.

Find and Fix Open-Source Vulnerabilities

Open-source resources are extremely popular in Docker. The upside is that these are free to use, and they support modifications to a great extent. However, the downside is potential unexposed vulnerabilities, which can easily take your system down. Does that mean you shouldn’t use these free readily available resources? Of course not! But you should do your due diligence first and use them with caution. One way to do this is by using tools that allow continuous scanning and monitoring of vulnerabilities across all in-use Docker image layers, such as Snyk.

Limit the System Resources Consumed by Containers

Another good Docker security practice is to implement limits on the system resources that are to be consumed by containers. This not only helps in reducing performance impacts, but also lessens the risk of DoS (denial of service) attacks.

No Root User by Default/Least Privileged Access

When there is no USER specified in the Dockerfile, the default mechanism is to execute the container using the root user. This means that the running Docker container could potentially have root access on the Docker host. This is a problem! Allowing an application on the container with the root user running increases the exposed attack surface and makes the application vulnerable to exploitation. To avoid this undesirable scenario, create a both a dedicated user and a dedicated group in the Docker image. Next, use the USER directive in the Dockerfile to make sure that the container runs the application with the least privileged access possible, as is best practice.

Use a Linter

Using a linter not only helps in avoiding common mistakes, but also in establishing best practice guidelines that can be followed in an automated, convenient way. One recommended linter to use with Docker is Hadolint, which parses a Dockerfile and generates warnings for errors that don’t follow its best practice rules. It’s even more useful when used in conjunction with an (Integrated Development Environment (IDE).

Use Multi-Stage Builds and Secrets Manager

Even when deleted, sensitive data like an SSH private key or tokens may still persist on the layer they were added to due to caching. This poses a great security risk. The solution is to keep secret information outside the Dockerfile by using multi-stage builds. Using Docker support for multi-stage builds allows fetching and managing private data in an intermediate layer that is disposed of later, ensuring that any sensitive information doesn’t reach the image build. You can also use Secrets Manager for the same purpose.

You should also be wary of a recursive copy. When you have files containing sensitive information in the folder, either remove them or use .dockerignore.

Whenever Possible, Avoid ADD and Use COPY Instead

Copying files from the host into a Docker image at build time can be accomplished by using either the ADD or COPY command. When executed, either command will perform a recursive copy. Note that unlike the ADD command, the COPY command requires that you declare a destination file.

If the destination directory doesn’t exist for the ADD command, then (unlike with the COPY command) the ADD command will create a directory. When you copy resources with URLs, it is important to reference them over secured TLS connections (HTTPS) for enhanced security. In addition, the source/origins of the resources should be validated when using the COPY command.

When you copy archives, the ADD command automatically extracts the archive into the destination directory. This is something you do not want, so it’s to be avoided. The reason is that it increases the risk of “zip bombs” and “zip slip vulnerabilities.” The COPY command allows you to separate the addition of an archive from remote locations, as well as unpack it as different layers. This optimizes the image cache. Avoid using ADD whenever possible, as using the command makes Docker susceptible to attacks via remote URLs and Zip files.

Yes to Minimal Base Images

When the project doesn’t necessitate any general system libraries or utilities, it is better to pick a minimal base image rather than a full-fledged operating system. According to Snyk’s annual state of open-source security report in 2019, several of the popular Docker containers featured on the Docker Hub contain many known vulnerabilities. Minimal base images for Docker containers feature only the necessary system libraries and tools to run the project, and therefore minimize the attack surface. Less attack surface means less risk.

Docker Image Security Tips

Employ a Robust Third-Party Security Tool

When using containers from untrusted public repositories, it is vital to assess the degree of security risk first. Use a multi-purpose security tool that offers dev-to-production security features for assessing risk.

Pay Attention to Vulnerability

You should have a robust vulnerability management program that performs multiple checks during the entire container life cycle. It must include quality gates — these will help to detect any issues related to access for detecting access issues, as well as any weak points where there could be a  potential exploit from development-to-production environments.

Monitor and Assess Container Activity

Monitoring the container ecosystem to detect and manage any suspicious activity must not be overlooked. Container monitoring tools offer real-time reports, which are helpful in reacting rightly against security breaches.

Enable Docker Content Trust

Introduced in Docker 1.8, the Docker Content Trust feature helps in verifying the authenticity, integrity, and publication date of all Docker images from the Docker Hub Registry.

Use the Docker Bench for Security Script

For further securing your Docker server and containers, be sure to run the Docker Bench for Security script. This script checks for a plethora of configuration best practices when deploying Docker containers.

Be Careful When Using a Web Server 

Always check the parameters carefully when using a web server and API for creating containers. This will prevent you from creating undesirable, or even harmful, containers.

Avoid Using the Default Bridge Network When Using a Single-Host App with Networking

When using a single-host app with networking, the use of the default bridge network must be avoided. If you do use the default bridge network and then publish a port, all containers on the bridge network become undesirably accessible. Additionally,  other technical disadvantages make it a non-recommended practice for production use.

More Important Docker Image Security Tips:

  • When there is only the need to read from volumes, mount them as read-only. There are several ways to do this, and you can choose one that best fits your process and requirements.
  • Use Docker containers for running other processes on the same server that you are using for your Docker project(s).
  • Secure API endpoints with HTTPS or SSH when exposing a REST API.
  • Never store sensitive data in a container, but only in volumes.
  • For serving, use Lets Encrypt for HTTPS certificates.
  • Keep your Docker, system libraries, and utilities up-to-date for the latest bug fixes and security enhancements.
  • Consider using Docker Enterprise when dealing with multiple or large teams and/or many Docker containers.

In conclusion

Docker is, without a doubt, one of the best options when dealing with cloud-powered technologies and applications that are meant to be readily deployable and quick to act. You need to double-check your security measures, though, to make the most out of containerized environments.

Hopefully, you will find the security practices and tips put up together in the article useful. Always remember, it’s essential to continuously upgrade your security standards to keep your applications, data, and—most importantly—your clients safe at all times.

Cloud Academy