Docker and Container Security: Best Practices for Secure Deployments

Container security encompasses the practices, tools, and configurations that protect containerized applications from build time through runtime. Unlike virtual machines, containers share the host kernel, meaning a vulnerability in one container can potentially affect the entire host and all co-located containers.

The container security landscape spans four layers:

• Image security: Base image selection, vulnerability scanning, minimal image composition, and trusted registries
• Build security: Dockerfile best practices, multi-stage builds, secrets handling during build, and supply chain integrity
• Runtime security: Least-privilege execution, read-only filesystems, resource limits, network policies, and seccomp profiles
• Application security: The code running inside containers must be secured with the same rigor as any other deployment—SAST, dependency scanning, and secrets detection

Container security is not a replacement for application security. A hardened container running vulnerable code is still vulnerable. The most secure container configuration cannot prevent a SQL injection or command injection in the application it hosts.

Running as Root

By default, containers run processes as root. If an attacker exploits an application vulnerability, they gain root access inside the container, which can be leveraged for container escape through kernel exploits. Always use a non-root USER directive in Dockerfiles.

Bloated Base Images

Full OS base images (e.g., ubuntu:latest) include hundreds of packages, expanding the attack surface. Each unnecessary package is a potential vulnerability. Minimal images like alpine, distroless, or scratch reduce the attack surface dramatically.

Secrets in Images

Embedding credentials, API keys, or certificates directly in Docker images—even in intermediate layers—exposes them to anyone who pulls the image. Docker layer history preserves every layer, including deleted files.

Outdated Base Images

Base images that are not regularly updated accumulate known CVEs. A base image that was secure at build time may have dozens of disclosed vulnerabilities within months.

Insecure Application Code

The most overlooked container vulnerability is the application code itself. Go microservices, Python APIs, and Java services running in containers need the same static analysis as any other deployment target. Command injection, SSRF, and insecure deserialization are equally exploitable inside a container.

• Tesla Kubernetes (2018): Attackers gained access to an unsecured Kubernetes dashboard, deployed cryptocurrency mining containers, and accessed S3 buckets containing sensitive telemetry data.
• Docker Hub Breach (2019): 190,000 Docker Hub accounts were compromised, potentially exposing automated build credentials and giving attackers the ability to inject malicious code into container images.
• Codecov Supply Chain (2021): Attackers modified a Docker image in Codecov's CI pipeline, injecting a credential harvester that exfiltrated environment variables from thousands of customer CI/CD pipelines.

These breaches highlight that container security extends beyond Docker configuration. Supply chain attacks targeting container images, insecure orchestration platforms, and vulnerable application code within containers are equally critical attack vectors.

While CodeSlick does not scan Docker images or Kubernetes configurations directly, it secures the application code that runs inside containers—the layer most container security tools miss:

• Go analysis (26 checks): Purpose-built for cloud-native applications—detects command injection, SQL injection, SSRF, insecure crypto, and unsafe concurrency patterns in Go microservices
• 5-language coverage: Scans JavaScript, TypeScript, Python, Java, and Go code that powers containerized services
• Dependency scanning: Identifies vulnerable packages in npm, pip, Maven, and Go modules that are bundled into container images
• Secrets detection: 38 patterns catch hardcoded credentials that could end up baked into container images

Integrate CodeSlick into your CI/CD pipeline via the GitHub App or CLI pre-commit hook to scan application code before it is built into a container image.