Container Security
5 min read Quiz at the end
Non-root user, read-only filesystem, drop capabilities, scan with Trivy, pin image digests.
Container and Docker Security
# 1. Non-root user
FROM python:3.12-slim
RUN useradd -r -u 1001 appuser
USER appuser
# 2. Read-only filesystem
docker run --read-only myapp
# 3. Drop capabilities
docker run --cap-drop ALL --cap-add NET_BIND_SERVICE myapp
# 4. No --privileged in production (never!)
# 5. Image vulnerability scanning
docker scout cves myapp:latest
# or: trivy image myapp:latest
# Trivy scan
docker run -v /var/run/docker.sock:/var/run/docker.sock
aquasec/trivy image myapp:latest
# 6. Pin base image digests (not just tags)
FROM python:3.12-slim@sha256:abc123... # immutable
# 7. Kubernetes Pod Security
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1001
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
containers:
- name: app
securityContext:
capabilities:
drop: [ALL]
add: [NET_BIND_SERVICE]
Topic Quiz · 1 questions
Test your understanding before moving on
1. What tool scans Docker images for CVEs?
💡 Trivy (by Aqua Security) is the most popular tool for scanning container images for known vulnerabilities.