Tutorials › Docker › Docker Security

Docker Security

5 min read Quiz at the end

Harden containers with non-root users, dropped capabilities, image scanning, and minimal base images.

Docker Security Best Practices

# 1. Non-root user
RUN useradd -r appuser
USER appuser

# 2. Read-only filesystem
docker run --read-only myapp

# 3. Drop capabilities
docker run --cap-drop ALL --cap-add NET_BIND_SERVICE myapp

# 4. Scan for CVEs
docker scout cves myapp:latest

# 5. Minimal base images
FROM alpine:3.19          # 5 MB
FROM gcr.io/distroless/python3  # no shell

# 6. Never --privileged in production
# 7. Use secrets, not env vars, for passwords

← Healthchecks Next: Docker Logging →

Topic Quiz · 2 questions

Test your understanding before moving on

1. Why should containers run as a non-root user?

💡 Running as non-root means a compromised container cannot easily escalate privileges on the host.

2. Which Docker flag makes a container filesystem read-only?

💡 --read-only prevents any writes to the container filesystem at runtime.

Quick Access

Docker Security

Docker Security Best Practices

Test your understanding before moving on