Container Security: Scanning and Securing Docker Images

Containers simplify application deployment but misconfigured containers create serious security risks. According to Snyk's 2024 report, 75% of popular images on Docker Hub contain known vulnerabilities. This guide covers Docker image scanning, minimal base image usage, rootless containers, and runtime security policies.

Docker Image Security Scanning

Every Docker image should go through security scanning after build and before deploy. Trivy, Grype, and Snyk are the most common open-source scanning tools. Integrate them into your CI/CD pipeline to prevent deploying images with critical vulnerabilities.

terminal

# Scan image with Trivy
trivy image myapp:latest

# Show only CRITICAL and HIGH vulnerabilities
trivy image --severity CRITICAL,HIGH myapp:latest

# CI/CD usage: fail build if critical vuln found
trivy image --exit-code 1 --severity CRITICAL myapp:latest

Writing Secure Dockerfiles

Dockerfile

# Multi-stage build for minimal image
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

# Production image - distroless or alpine
FROM node:20-alpine
WORKDIR /app

# Create non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup

COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules

# Run as non-root user
USER appuser
EXPOSE 3000
CMD ["node", "dist/main.js"]

Base Image	Size	CVE Count	Usage
ubuntu:22.04	77 MB	30-50+	Development
alpine:3.19	7 MB	0-5	Production (recommended)
distroless	2-15 MB	0-2	Maximum security

💡 Tip: Distroless images contain no shell, package manager, or unnecessary tools. Even if an attacker gains access to the container, they cannot run a shell. Use Google's distroless images for Go, Java, and Node.js.

For Docker multi-stage build details, check our Docker Multi-Stage Build guide. For Kubernetes security, see our Kubernetes guide. For server security, review our Hardening Checklist. Run your container infrastructure securely with Hosted Cloud cloud servers.

Frequently Asked Questions

Are containers less secure than VMs?

Containers share the kernel with the host, so isolation is weaker compared to VMs. However, with proper configuration (rootless, seccomp, AppArmor), container security can be brought to a sufficient level for production environments.

Is pulling images from Docker Hub safe?

Prefer only "Official" and "Verified Publisher" tagged images. In any case, scan pulled images with Trivy. For production environments, using your own private registry and signing images is recommended.

What is a rootless container?

A rootless container runs the Docker daemon and container without root privileges. In case of container escape, the attacker cannot gain root access on the host. Docker 20.10+ and Podman support rootless by default.

How often should I scan images?

Run automatic scans in your CI/CD pipeline on every build. Also rescan existing images in your registry weekly - as new CVEs are discovered, previously safe images may become risky.

Are Alpine images always the best choice?

Alpine is generally a good choice due to its small size and low CVE count. However, it uses musl libc and may have compatibility issues with some applications. For applications requiring glibc, prefer Debian slim or distroless.

Conclusion

Container security requires a multi-layered approach from build to runtime. Use minimal base images, scan for vulnerabilities on every build, run containers as non-root users, and apply runtime security policies.

Container-Ready Infrastructure

Run your Docker and Kubernetes infrastructure securely with Hosted Cloud cloud servers.

Explore Cloud Server Plans →