Security
Main points from this article by Gianluca Brindisi on Docker security:
- no secrets in environmental variables
- don’t trust all base images -> use DockerHub base images
- don’t use
latesttag because unpredictable - avoid curl bashing because unpredictable
- avoid upgrading packages because unpredictable
- don’t ROOT or SUDO
Dockerfile - best practices
Hexops describes some security best practices for Dockerfile As a start, take the demo Dockerfile from slimsag.