Back to Blog
6 min readDevSecOps & Automation

Docker Security Basics

#Docker#DevSecOps#Containers

Containers are not virtual machines. They share the host kernel. If a container is compromised, the host might be too.

1. Do Not Run as Root

By default, processes inside a container run as root. If they escape, they are root on the host.

Fix: Create a user in your Dockerfile.

RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser

2. Use Minimal Base Images

Don't use ubuntu:latest if you don't need it. Use alpine or distroless.

  • Smaller attack surface.
  • Fewer vulnerabilities (CVEs).

3. Scan Your Images

Use tools like Trivy or Grype in your CI/CD pipeline to scan images for known vulnerabilities before deploying.

trivy image my-app:latest

4. Limit Resources

An attacker can crash your host by consuming all RAM/CPU (DoS). Use Docker limits:

deploy:
  resources:
    limits:
      cpus: '0.50'
      memory: 512M