Container Security
Practices and tools for securing containers throughout their lifecycle: image building, runtime, orchestration, and compliance.
seed#security#containers#docker#scanning#runtime#compliance
What it is
Container security encompasses practices for protecting containerized applications throughout their lifecycle: from image building to production execution.
Security layers
Image
- Use official and minimal base images
- Scan for vulnerabilities (Trivy, Snyk, ECR scanning)
- Don't include secrets in images
- Multi-stage builds to reduce attack surface
Build
- Sign images (cosign)
- Verify provenance (SLSA)
- CI/CD gates blocking vulnerable images
Runtime
- Don't run as root
- Read-only filesystem when possible
- Limit kernel capabilities
- Network policies to isolate traffic
Orchestration
- RBAC in Kubernetes
- Pod Security Standards
- Secrets management (not in plain environment variables)
- Admission controllers for policies
Tools
| Tool | Function |
|---|---|
| Trivy | Vulnerability scanning |
| Falco | Runtime threat detection |
| OPA/Gatekeeper | Admission policies |
| cosign | Image signing |
Why it matters
Containers are not secure by default. Images with known vulnerabilities, running as root, and embedded secrets are common mistakes that turn containers into attack vectors. Container security must be part of the pipeline, not an afterthought.
References
- NIST Container Security Guide — SP 800-190.
- Container Security Best Practices — Sysdig, 2024. Practical container security guide.
- Dockerfile Best Practices — Docker, 2024. Best practices for secure images.