Containers

About

Containers have revolutionized the way applications are developed, deployed, and managed. They provide a lightweight, standalone, executable package that includes everything needed to run a piece of software, including the code, a runtime, system tools, system libraries, and settings. Containers are portable across different platforms and they offer a consistent environment, which is a major advantage for developers and system administrators.

Nevertheless, a container is not "secure by itself"... a container include code binaries, configuration files, dependencies, the host environment, network configurations... Each of these can cause an attack surface [1].

Container security involves defining and adhering to build, deployment, and runtime practices that protect a Linux container—from the applications they support to the infrastructure they rely on [2].

Best practices

Here are some Container security best practices [1][2][3][4][5]:

• Do NOT run as root (and don't use 'sudo', 'doas' or others...)

• Use trusted base images (as minimal as possible)

• Sign your container images

• Update your environment & base images

• Close unused ports

• Do NOT use hardcoded credentials

• Do NOT store secrets in environment variables

• Be cautious when using the 'latest' tag for the base image... (it may introduce a new vulnerability)

• Avoid curl bashing (pulling scripts from internet and piping into the shell)

• Do NOT upgrade your system packages (it amplifies the unpredictability of your dependencies tree, pin your software dependencies)

• Do NOT use ADD if possible (use COPY). If you really have to use COPY use trusted sources over secure connections

• Scan your container environments regularly (checkout the tools below)

• Secure your code and its dependencies (checkout the Static Analysis section)

• Manage all layers in between the base image and your code

• Use access management (following the principle of least privilege)

• Follow the OWASP Docker Top 10 project points (overview):

  • D01 - Secure User Mapping

  • D02 - Patch Management Strategy

  • D03 - Network Segmentation and Firewalling

  • D04 - Secure Defaults and Hardening

  • D05 - Mantain Security Contexts

  • D06 - Protect Secrets

  • D07 - Resource Protection

  • D08 - Container Image Integrity and Origin

  • D09 - Follow Immutable Paradigm

  • D10 - Logging

• Checkout the OWASP Docker Security Cheat Sheet

Cloud / Registries

Some cloud offerings, related to container image registries and registries services offers vulnerability scanning and assessment:

• AWS Elastic Container Registry (ECR): AWS ECR offers scanning and managing software vulnerabilities to meet security requirements.

• Azure Container Registry (ACR): Azure offers Microsoft Defender for Containers, which will scan images for vulnerabilities.

• Google Cloud (GCP) Artifact Registry: it offers Container Analysis integration to provide vulnerability scanning and metadata storage for containers on Google Cloud.

• Docker Hub: supports an automatic vulnerability scanning feature, which when enabled, automatically scans images when you push them to a Docker Hub repository. Requires a Docker subscription.

Tools

Some are from the Static Analysis section, these tools covers "Containers":

• Snyk Container: Container and Kubernetes security that helps developers and DevOps find and fix vulnerabilities throughout the SDLC — before workloads hit production.

• Docker Scout (included in Docker Desktop): a collection of software supply chain features that appear throughout Docker user interfaces and the command line interface (CLI). These features provide detailed insights into the composition and security of container images.

• Qualys Container Security (CS): Qualys Container Security allows you to discover, track and continuously secure containers – from build to runtime. It provides deep visibility across on-premise container environments and managed containers across multiple cloud providers.

• Aqua Security - Trivy: a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues. One of these targets is container images.

• Chef Inspec (web): an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.

inspec exec https://github.com/dev-sec/linux-baseline -t docker://<docker_id>

inspec exec https://github.com/dev-sec/cis-docker-benchmark -t docker://<docker_id>

• Docker Bench for Security: a script that checks for dozens of common best-practices around deploying Docker containers in production.

• Anchore grype: vulnerability scanner for container images and filesystems.

• Haskell Dockerfile Linter: a smarter Dockerfile linter that helps you build best practice Docker images.

• Dockle (web): container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start.

• Quay Clair (web): is an open source project for the static analysis of vulnerabilities in application containers (currently including OCI and docker).

• Dive (⚠️): not a scanner itself (but could help), it's a tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image.

• Dagda (⚠️): a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.

Sources

[1]: How to Secure Your Docker Containers: Tips and Challenges - PurpleBox (prplbx.com)

[2]: What is container security? (redhat.com)

[3]: What is container security? | Container Security | Snyk

[4]: Docker Security Best Practices from the Dockerfile (cloudberry.engineering)

[5]: Security best practices | Docker Documentation