Docker Security Best Practices | Scout Trivy Scans

Securing Dockerized environments is crucial for protecting applications and data from potential vulnerabilities and attacks. By following best practices, you can reduce the overall risk associated with containerized applications. This guide walks you through Docker security best practices, including slimming down images, running non-root containers, scanning for vulnerabilities with tools like Docker Scout and Trivy, and secrets management with an example for Spring Boot applications.

Table of Contents

1. Slimming Down Images
2. Avoiding Root Users
3. Scanning for Vulnerabilities (Docker Scout/Trivy)
4. Secrets Management in Docker
   • Spring Boot Implementation Example
5. Final Thoughts

Slimming Down Images

Reducing the size of your Docker images minimizes the attack surface and improves container startup times. Here are some strategies to slim down Docker images effectively.

Use Lightweight Base Images

Favor minimalist base images like Alpine or Debian Slim over standard Ubuntu or CentOS images.

# Use lightweight base image
FROM alpine:3.18
RUN apk add --no-cache openjdk17

Multi-Stage Builds

Multi-stage builds reduce the final image size by separating the build and runtime stages. This ensures only production-essential files are included in the final image.

Example:

# Stage 1: Build application
FROM maven:3.9 as builder
WORKDIR /app
COPY pom.xml .
COPY src ./src
RUN mvn clean package

# Stage 2: Create a slim runtime image
FROM openjdk:17-jdk-slim
WORKDIR /app
COPY --from=builder /app/target/app.jar app.jar
ENTRYPOINT ["java", "-jar", "app.jar"]

Remove Unnecessary Files

Clean up unused files, temporary data, and cache layers during the build process.

RUN apt-get update && apt-get install -y curl \
    && rm -rf /var/lib/apt/lists/*

Pin Dependencies

Always pin specific versions of packages and dependencies to prevent accidental upgrades introducing vulnerabilities.

RUN apk add --no-cache python=3.11.5

Slim and secure images are easier to maintain, deploy faster, and reduce opportunities for attackers.

Avoiding Root Users

By default, Docker containers run as root, which can be exploited if the container is compromised. Running as a non-root user is a strong defense-in-depth measure.

Why Avoid Root?

A malicious user or process running as root in the container can potentially escape the container and gain access to the host system, exposing critical resources.

Non-Root Docker Containers

1. Create a Non-Root User:
   Add and switch to a non-root user in your Dockerfile. FROM python:3.11-slim RUN useradd -m appuser USER appuser WORKDIR /app COPY . . ENTRYPOINT ["python", "app.py"]
2. Use USER Instruction:
   The USER Dockerfile command ensures that the application runs under a non-root user. USER 1001

Drop Capabilities

Minimal capabilities equate to minimal exploitation risk.

docker run --cap-drop all -d nginx

Properly configured non-root containers significantly reduce the risk of privilege escalation attacks.

Scanning for Vulnerabilities (Docker Scout/Trivy)

Container images may contain vulnerabilities in libraries, software, or operating system packages. Regular scans can identify and address known security issues.

Docker Scout

Docker Scout is a tool for analyzing security vulnerabilities in container images.

Scan a Docker Image:

docker scout cves my-app-image

Output Example:

CVE-2023-12345 in package xzy fixed in version 1.2.3
Severity level: HIGH

Trivy

Trivy is an open-source vulnerability scanner that checks images for known vulnerabilities and compliance issues.

Install Trivy

brew install aquasecurity/trivy/trivy

Scan a Docker Image

trivy image my-app-image

Output Example:

NAME        INSTALLED   FIXED-IN    CVE          SEVERITY
libabc      1.0.0       1.2.3       CVE-2023-456  CRITICAL

Integrate Security Scanning into CI/CD

Automate vulnerability scanning with tools like GitHub Actions or Jenkins.

Example GitHub Actions Workflow:

name: Scan Docker Image

on:
  push:
    branches:
      - main

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Code
      uses: actions/checkout@v3
    - name: Run Trivy Scan
      run: |
        docker build -t my-app .
        trivy image my-app

Scanning images regularly ensures vulnerabilities are caught early in the development cycle, minimizing security risks.

Secrets Management in Docker

Hardcoding secrets (e.g., passwords, API keys) in Dockerfiles, environment variables, or code exposes critical information. Always use secure strategies to manage secrets.

Best Practices for Secrets

1. Use Docker Secrets (Swarm or Third-Party Tools):
   Encrypt secrets and inject them into containers securely.
2. External Secrets Management:
   Use tools like Vault, AWS Secrets Manager, or Azure Key Vault.
3. Avoid Environment Variables for Secrets:
   Since environment variables are visible to processes, prefer dedicated secret managers.

Spring Boot Implementation Example

Here’s how to manage secrets securely in a Spring Boot application:

Externalize Secrets

1. Use Application Properties
   Store secrets in environment variables and reference them in application.yml: spring: datasource: username: ${DB_USERNAME} password: ${DB_PASSWORD}
2. Inject Secrets from Vault (Example with HashiCorp Vault)

Step 1 – HashiCorp Vault Setup:
Store secrets in Vault:

vault kv put secret/db username=root password=mysecurepassword

Step 2 – Use Spring Cloud Vault:
Add dependencies in pom.xml:

<dependency>
  <groupId>org.springframework.cloud</groupId>
  <artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>

Step 3 – Configure Spring Boot:
Add the following configuration to application.yml:

spring:
  cloud:
    vault:
      uri: http://localhost:8200
      token: <VAULT_TOKEN>
      generic:
        backend: secret
        default-context: application

Access secrets in your Spring service:

@Value("${db.username}")
private String username;

Diagram for Spring Boot and Secret Management:

Adopting secure secrets management reduces accidental disclosures and secures sensitive data effectively.

Final Thoughts

Docker security is a layered process, from reducing image sizes and running non-root users to leveraging vulnerability scans and securely managing secrets. By adopting these best practices and using proper tools, you can greatly improve your containerized applications’ security posture.

Bookmark this guide for future reference and ensure your Dockerized workloads are not only efficient but resilient against evolving security threats!