Documentation

Security Hardening on Docker Container Images and Build Files

  • Create a non-root user for container images.
  • Perform security scanning on images frequently, add patches in a timely manner, and create new container instances.
  • Do not use the ADD instruction in the Dockerfile. If the ADD instruction is performed on files from unknown sources, security risks exist.
  • Do not store sensitive information in the Dockerfile.
  • Do not use the update command independently.
  • Add a health check mechanism for the container and check the validity of the scripts or commands specified by the health check mechanism to ensure that the scripts or commands do not cause service or system exceptions.
  • Do not add files and directories with SUID and SGID permissions to the container.
Parent topic: Common Measures