Back to course

Dockerfile Hardening: Minimal Images

Modern DevSecOps (The Hard Way)

Securing Containers

A large container image has a large attack surface. We want small, 'distroless' or Alpine-based images.

Rules for Secure Dockerfiles:

  1. Use a specific version, not :latest.
  2. Never run as root: USER node or USER 1000.
  3. Remove shells and package managers in production.
  4. Use multi-stage builds to keep build tools out of the final image.