Docker containers use the Docker Engine, which runs on Linux containers, to simplify the software development process.
Like all containers, Docker containers are native features of the Linux kernel that provide lightweight process isolation through namespaces and control groups (cgroups). These containers help you streamline the software development life cycle.
But keep in mind that Docker containers also come with risks if you don’t have proper security in place.
Advanced Container Security Best Practices [Cheat Sheet]
This cheat sheet goes beyond the no-brainer container security best practices and explores advanced techniques that you can put into action ASAP. Use this cheat sheet as a quick reference to ensure you have the proper benchmarks in place to secure your container environments.
Download now
What are the most common Docker security vulnerabilities and risks?
When securing containers, your organization should consider vulnerabilities in container images, insecure configurations, and container breakouts. These risks become more severe when weak authentication and improper access controls grant unauthorized access.
Data exposure, distributed denial-of-service attacks, and untrustworthy Docker images also introduce these threats:
Data breaches: Attackers exploit vulnerabilities in containerized applications to access sensitive information.
Compromised host system: A Docker container vulnerability can let an attacker escape, access the host system, execute code, install malware, manipulate configurations, or launch attacks on other containers and infrastructure.
Service disruption: Exploited vulnerabilities in containerized applications disrupts services and causes downtime, which reduces your network’s availability and performance.
Malware propagation: Malicious actors use container vulnerabilities to distribute malware. Once they compromise a container, they can then spread malware to other containers, systems, or networks.
Data loss or corruption: Vulnerabilities in containerized applications may modify or delete critical data or make it inaccessible.
Reputation damage: Security breaches from container vulnerabilities can harm an organization’s reputation and erode customer trust.
Regulatory non-compliance: Ignoring container vulnerabilities can violate industry regulations and data protection laws.
Docker container security best practices
Your first line of defense against the above risks should take these considerations into account:
Securing the host system, whether it’s a virtual machine (VM) or bare metal, prevents threats from compromising all running containers.
Applying robust security protocols—such as updating the system with security patches, enforcing strong access controls, and monitoring for suspicious activity—strengthens overall system security and helps prevent potential threats.
Securing both the host and containers strengthens your overall application security.
Along with these steps, you can adopt several security best practices for Docker containers.
3 image security best practices
By following these best practices for image security, organizations can minimize the risk of vulnerabilities and security breaches:
Use only official images and trusted repositories
When selecting Docker images, prioritize using official images from trusted sources. Reputable vendors maintain these images, rigorously test them, and conduct security checks to reduce the likelihood of vulnerabilities or malicious code.
Container registries add extra security for production containers, so keeping production images in a private registry enhances their protection.
Additionally, you can enable image signing, which allows image publishers to use cryptographic keys to sign their images. This feature helps you verify images’ authenticity and integrity before deployment.
You can also do the following:
Use official images from Docker Hub, such as
nginx:1.21.3orpython:3.9-slim, rather than community-contributed alternatives.Avoid using the latest tag, as it can introduce unpredictable updates and potential security risks.
Pin specific versions (like
FROM nginx:1.21.3) to ensure stability and greater control over updates.
2.Scan images for vulnerabilities
Use image scanning tools to detect and remediate vulnerabilities in Docker images before deploying them to production.
Tools like Wiz, Trivy, and Clair help your DevOps team automatically analyze container images for known vulnerabilities in software packages and dependencies. Integrating image scanning into the CI/CD pipeline with a shift-left approach also helps developers identify and fix security issues early, which reduces the risk of deploying insecure images.
It’s easy to add image scanning into your CI/CD pipeline. Here’s an example, using Trivy:
trivy image my-imageIf you want to streamline and improve your scanning, you can also use Wiz Sensor. This eBPF runtime sensor can block cloud attacks and provide real-time context for your containers, VMs, and serverless infrastructure.
The image below shows how you can detect key vulnerabilities and get prioritized next steps:
3. Regularly update images and dependencies
Stay proactive by regularly updating both Docker base images and their dependencies to the latest versions. Establish a process for monitoring security advisories and releases from upstream repositories, and schedule regular scans and updates for container images to ensure they remain secure over time.
To help with this, consider implementing a weekly image update process:
Pull the latest base image.
Rebuild your application image.
Run vulnerability scans.
Test the new image in a staging environment.
Deploy to production, if tests pass.
3 container configuration best practices
Below are three container configuration best practices to follow:
Implement the principle of least privilege (PoLP)
Run Docker containers with the minimum required permissions for their intended functionality by following PoLP. Running containers as the root user grants unnecessary privileges and increases the risk of privilege escalation attacks, so it’s best to instead configure them as non-root users with limited permissions.
You can run your Docker containers as a non-root user with the following command:
docker run --user 111:111 my-containerIf running as non-root is not an option, you can drop all the root user’s capabilities to restrict users’ actions:
sudo docker run --rm -it --cap-drop ALL my-container sh2. Reduce your attack surface by minimizing container size
Optimize the Docker container size to minimize its attack surface by removing unnecessary components and dependencies from the container image. You can start with minimal base images—like Alpine Linux, BusyBox, or Google’s distroless base images—and install only the packages and libraries that the application needs to function properly.
Here’s an example of a distroless base image for a Go application:
FROM golang:1.20 as build
WORKDIR /app
COPY . .
RUN go mod download
RUN CGO_ENABLED=0 go build -o /app
FROM gcr.io/distroless/static-debian11
COPY --from=build /app /
CMD ["/app"]3. Use namespaces and cgroups effectively
Linux namespaces isolate processes and filesystems, maintaining each container’s independent environment. Similarly, cgroups let administrators allocate and limit system resources like CPU, memory, and disk I/O for individual containers, which prevents resource contention and ensures fair resource distribution.
To enforce these limits and maintain better control over container resources, use Docker commands to restrict CPU and memory usage, limit device access, and control the number of processes in place.
2 network security best practices
You can adopt the following two principles for improved network security:
Implement network segmentation
Separate Docker containers and applications based on their security requirements using network segmentation.
Here’s how to create and use a separate network for Docker containers:
docker network create my-new-network
docker run my-container —-network my-new-network2. Configure firewall rules and network policies
Implementing firewall rules and network policies helps you control inbound and outbound traffic to Docker containers while enforcing security policies at the network level. Firewall solutions like iptables or nftables filter and block unauthorized network traffic based on source/destination IP addresses, ports, and protocols.
For example, a basic firewall rule can allow incoming traffic only on port 80:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROPThis ensures that your Docker host only accepts web traffic, which reduces the attack surface.
3 runtime security best practices
Follow these three practices for improved runtime security:
Leverage container runtime security tools
You can use container runtime security tools to monitor and protect Docker containers against security threats and suspicious activities.
Tools like gVisor and Falco provide runtime security capabilities, including container introspection, anomaly detection, and behavioral analysis. gVisor, for instance, sandboxes containers for enhanced isolation and security, while Falco detects and responds to real-time security incidents.
Here’s an example of deploying Falco in a container for real-time security event monitoring:
docker run -d --name falco --privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /lib/modules:/lib/modules:ro \
-v /usr/src:/usr/src:ro \
falcosecurity/falcoYou can also customize detection rules by modifying /etc/falco/falco_rules.yaml to define threats that are relevant to your environment.
2. Enforce resource constraints and isolation
Preventing resource abuse and ensuring the fair allocation of system resources requires enforcing resource constraints and isolation mechanisms.
Docker’s built-in features, which include resource limits (like CPU and memory) and container isolation (like namespaces and cgroups), restrict resource usage and keep containers separate from each other and the host system. Additionally, container orchestration platforms like Kubernetes automate resource management and scheduling, as well as optimize resource utilization, while maintaining security and performance.
To add CPU and memory limits to your Docker containers, use the following command:
docker run --name some-container --cpu=0.5 --memory=128m some-image3. Monitor container activities for suspicious behavior
Continuously monitoring container activities will help you detect and respond to suspicious behavior and security threats in real time.
For example, you can use tools like ELK Stack, Prometheus, and Grafana to implement a monitoring strategy. You can also configure Docker to use a logging driver like Fluentd:
{
"log-driver": "fluentd",
"log-opts": {
"fluentd-address": "localhost:24224",
"tag": "docker.{{.Name}}"
}
}As you develop your strategy, be sure to adopt logging, auditing, and monitoring solutions to capture and analyze container logs, events, and metrics for signs of unauthorized access, privilege escalation, or abnormal activity. You can also configure alerting mechanisms to notify administrators of potential security incidents or policy violations, which enables timely response and remediation to mitigate risks and prevent further exploitation.
Another way to reinforce your monitoring is by creating Kibana dashboards to visualize logs and set up alerts for anomalies, such as failed authentication attempts or privilege escalations. This approach allows you to quickly detect and respond to potential security threats.
6 secure development practices
Consider the following steps to improve your security development:
Follow secure coding practices for containerized applications
Develop secure containerized applications by adhering to rigorous coding practices that counter new vulnerabilities and safeguard sensitive data.
To do so, adopt these key practices:
Validate input to thwart injection attacks.
Implement strong authentication and authorization mechanisms to enhance security.
Encrypt communication channels to prevent data interception.
Handle errors comprehensively to support effective incident response.
Manage dependencies securely by regularly updating and patching components.
2. Incorporate security into the CI/CD pipeline
Integrating security scanning into the CI/CD pipeline ensures continuous vulnerability detection and mitigation throughout the development lifecycle.
Critical security automation practices include:
Running automated security scans on container images, dependencies, and code
Failing builds with critical vulnerabilities to prevent insecure deployments
Generating reports for visibility and integrating them with security dashboards
Using allowlists and custom policies to fine-tune scanning thresholds
Regularly updating scanning tools to detect the latest threats
3. Conduct static code analysis
Static code analysis tools scan Dockerfiles, application code, and configuration files in the CI/CD pipeline to identify security vulnerabilities and coding errors. These tools also detect insecure coding practices, hardcoded credentials, and known vulnerabilities in dependencies.
You can start by using SonarQube for Dockerfile analysis. Follow these steps to do so:
Set up a SonarQube server.
Add the following to your CI/CD pipeline:
docker run --rm \
-e SONAR_HOST_URL="http://your-sonarqube-server" \
-e SONAR_LOGIN="your-token" \
-v "${PWD}:/usr/src" \
sonarsource/sonar-scanner-cli \
-Dsonar.projectKey=your-project \
-Dsonar.sources=/usr/src \
-Dsonar.inclusions=*/DockerfileConfigure SonarQube quality gates to fail builds that don't meet security standards.
4. Scan container images
Container image scanning tools assess Docker images in the CI/CD pipeline for vulnerabilities and security risks. These scanners automatically detect vulnerable software packages, libraries, and dependencies, providing visibility into security issues and helping developers prioritize remediation before deploying images to production.
5. Make the most of security testing tools and methods
Security testing methodologies like penetration testing, vulnerability scanning, and fuzz testing assess the security posture of Docker containers and applications in the CI/CD pipeline.
In addition to these testing methods, policy enforcement tools and frameworks automate security checks, validate configurations, and enforce security controls, reducing the risk of non-compliance and security breaches.
6. Prioritize continuous monitoring and feedback
Container monitoring involves collecting and analyzing security-related data to generate actionable insights and provide developers and operators with feedback for remediation and improvement, which keeps containers healthy and secure.
What are some of the top Docker security tools?
Choosing the right Docker security solution is just as important as implementing best practices. You’ll want a cloud-native application protection platform that can not only provide the best security for today but also adapts to the evolving threat landscape.
Below are some of the top tools to consider for improved security:
Wiz
Wiz is a cloud-native security platform that delivers everything you need for a comprehensive cloud security system. It offers comprehensive visibility and risk assessments for your entire container environment.
The platform also helps you identify vulnerabilities and misconfigurations, implement CI/CD pipeline integrations, and detect risks across your Docker images, containers, and infrastructure.
Key features:
Agentless vulnerability scanning: Identify risks in container images and running containers automatically.
Configuration assessment: Locate misconfigurations that could lead to security breaches and implement contextual remediation insights in order of priority.
Cloud security posture management: Assess your cloud environment’s entire security posture, such as for your container-related resources and more.
Compliance and risk management: Map container security risks for compliance frameworks like CIS, PCI-DSS, and NIST.
Trivy
Trivy is a vulnerability scanner for your containers that you can integrate into your CI/CD pipeline for early scanning.
Key features:
Comprehensive scanning: Find OS package and dependency vulnerabilities.
User-friendliness: Benefit from a simple, easy-to-use interface and reporting.
Falco
Falco can detect odd behavior in your containers and monitor system calls. Because the tool operates at runtime, it can also be useful for finding threats that dodge flagging during pre-deployment scans.
Key features:
Runtime monitoring: Watch container activity for security threats.
Real-time alerts: Get pings on suspicious activity.
Anomaly detection: Find deviations that hint at breaches.
Improve your Docker container security with Wiz
Docker container security should reduce attack surfaces and perform ahead of the curve as threats evolve. However, using a legacy tool that isn’t cloud-native or a solution that can’t keep up can cause more damage than it prevents. Not only that, but if you’re juggling different security tools, you’ll face blindspots and difficulty managing your cloud security environment.
That’s where Wiz leads the way. Unlike tools that focus on a single security layer, Wiz offers whole container security. This single, agentless platform includes image scanning, runtime protection, risk management, compliance, and more—everything you need for a top cloud security management solution. It also helps you detect threats in real time with deep visibility and automated remediation.
Ready to improve your container security? Get Wiz’s free Advanced Container Security Best Practices Cheat Sheet for more information—or try the demo today to find out how Wiz can help you implement security improvements.
What's running in your containers?
Learn why CISOs at the fastest growing companies use Wiz to uncover blind spots in their containerized environments.
