Container Security Basics
Key security considerations for Docker containers and orchestrators, from image scanning to runtime protection.
Last updated Apr 7, 2026Current
Continue your mission
Key security considerations for Docker containers and orchestrators, from image scanning to runtime protection.
Containers share the host operating system's kernel, which means a vulnerability in the kernel or a container escape affects all containers on that host. Unlike virtual machines, containers do not provide hardware-level isolation. This makes securing the container lifecycle (build, ship, run) essential.
Container security starts with the image. A container image is a layered filesystem that includes the application code, runtime, libraries, and sometimes an entire OS distribution.
Use minimal base images. Alpine Linux, distroless images, or scratch-based images contain fewer packages, which means fewer potential vulnerabilities. A full Ubuntu image might have hundreds of packages you never use, each adding attack surface.
Scan images for vulnerabilities. Tools like Trivy, Grype, and Snyk Container analyze image layers against vulnerability databases. Integrate scanning into your CI/CD pipeline so that images with critical vulnerabilities are blocked before deployment.
Do not hardcode secrets. Never embed API keys, passwords, or certificates in container images. Images are stored in registries and can be pulled by anyone with access. Use secret management solutions like HashiCorp Vault, AWS Secrets Manager, or Kubernetes Secrets (encrypted at rest).
Pin image versions. Never use the latest tag in production. It creates non-reproducible builds and can introduce unexpected changes. Pin to specific digests or version tags.
Container registries (Docker Hub, Amazon ECR, Azure ACR, Google Artifact Registry) store your images. Enable vulnerability scanning at the registry level. Restrict who can push and pull images. Use private registries for internal images. Sign images with tools like Cosign so that runtime environments can verify image provenance.
Run containers as non-root. By default, many container images run processes as root. If an attacker exploits a vulnerability in the application, they get root inside the container, which makes escape easier. Specify a non-root user in your Dockerfile with the USER directive.
Drop unnecessary capabilities. Linux capabilities grant specific privileges (like binding to low ports or modifying network settings). Containers should run with the minimum capabilities required. Drop all capabilities and add back only what is needed.
Use read-only filesystems. If your container does not need to write to its filesystem, mount it as read-only. This prevents attackers from modifying binaries or dropping tools.
Limit resources. Set CPU and memory limits to prevent a compromised container from consuming all host resources (denial of service). In Kubernetes, use ResourceQuotas and LimitRanges.
Network policies. By default, all containers in a Kubernetes cluster can communicate with each other. Use Network Policies to restrict pod-to-pod communication to only what is necessary, implementing microsegmentation.
Tools like Falco monitor container behavior at runtime by observing system calls. Falco can alert when a container spawns an unexpected shell, reads sensitive files, or makes unusual network connections. This provides detection capabilities for attacks that bypass preventive controls.
If you use Kubernetes, secure the control plane: enable RBAC, restrict access to the API server, enable audit logging, encrypt etcd data at rest, and use admission controllers (like OPA Gatekeeper or Kyverno) to enforce policies on what can be deployed.
Regularly update your orchestrator. Kubernetes releases security patches frequently, and running outdated versions exposes you to known vulnerabilities in the platform itself.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.