Back to blog

Docker Security Best Practices: Building Lightweight and Secure Container Images

Docker has revolutionized application deployment. However, shipping your application in a container does not automatically make it secure. Many public base images contain hundreds of vulnerabilities, and running containers with root privileges increases the attack surface significantly.

To protect your applications in production, you should follow these security best practices.

1. Use Multi-Stage Builds

One of the best ways to secure your Docker images is to keep them as small as possible. The fewer packages you have in your production container, the fewer vulnerabilities there are to exploit.

Multi-stage builds allow you to use a heavy image with all compilation dependencies to build your code, and then copy only the compiled binaries into a lightweight runtime image.

# Stage 1: Build
FROM golang:1.21-alpine AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp

# Stage 2: Final Runtime
FROM alpine:3.19
WORKDIR /app
COPY --from=builder /app/myapp .
CMD ["./myapp"]

2. Never Run as Root

By default, Docker containers run as the root user. If an attacker manages to break out of your application, they will have root access to the container and potentially the host system.

Always create a dedicated user and switch to it using the USER directive.

FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .

# Create a non-root group and user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser

EXPOSE 3000
CMD ["node", "index.js"]

3. Choose Minimal Base Images

Avoid using generic OS base images like ubuntu or debian unless absolutely necessary. Instead, look for minimal alternatives:

  • Alpine: A security-oriented, lightweight Linux distribution (~5MB).
  • Distroless: Images created by Google that contain only your application and its runtime dependencies. They do not contain package managers, shells, or standard Unix utilities.
# Using Google Distroless for a Go application
FROM gcr.io/distroless/static-debian12
COPY --from=builder /app/myapp /myapp
CMD ["/myapp"]

4. Scan Images for Vulnerabilities

Integrate vulnerability scanning tools into your CI/CD pipelines. Tools like Trivy, Snyk, or Docker's built-in docker scout can scan your images and warn you about CVEs (Common Vulnerabilities and Exposures) before they hit production.

trivy image myapp:latest

Conclusion

Securing your Docker images is an iterative process. By implementing multi-stage builds, switching to non-root users, utilizing minimal base images, and running regular vulnerability scans, you can drastically reduce your production risk.