Madhu Akula

A practical guide to writing secure Dockerfiles

Your Dockerfile is a critical form of infrastructure as code. Learn to write secure, minimal images and automate security checks before deployment.

A practical guide to writing secure Dockerfiles
#1about 2 minutes

Why Dockerfile security is a critical foundation

Dockerfiles act as the blueprint for container images, making their security essential for preventing supply chain attacks and infrastructure compromise.

#2about 5 minutes

Following official Docker best practices for images

Start with small base images, use multi-stage builds, and manage the build context with a .dockerignore file to create efficient and secure containers.

#3about 4 minutes

Advanced security practices for hardening Dockerfiles

Enhance security by running containers as a non-root user, using COPY instead of ADD, avoiding hardcoded secrets, and pulling from trusted image registries.

#4about 4 minutes

Using Docker BuildKit to handle secrets securely

Docker's BuildKit allows mounting secrets and forwarding SSH agents during the build process, preventing sensitive credentials from being stored in image layers.

#5about 5 minutes

Automating checks with linters like Hadolint and Dockle

Use automated linters like Hadolint for best practices and Dockle for CIS benchmark compliance to enforce security standards in your CI/CD pipeline.

#6about 2 minutes

Reducing attack surface with Docker-slim

Docker-slim minifies container images by removing unnecessary files and can automatically generate seccomp and AppArmor profiles to harden runtime security.

#7about 3 minutes

Analyzing image layers for security with Dive

The Dive tool provides a layer-by-layer inspection of a Docker image, helping to identify inefficiencies and potential security risks like backdoors.

#8about 4 minutes

Introducing Open Policy Agent for custom policies

Open Policy Agent (OPA) and its language Rego provide a general-purpose engine for enforcing custom, organization-specific security policies on structured data like Dockerfiles.

#9about 6 minutes

Writing custom Dockerfile policies with Conftest

Leverage Conftest to write and apply custom Rego policies that validate Dockerfiles against specific organizational rules, such as only allowing images from a trusted private registry.

#10about 2 minutes

Next steps for implementing Dockerfile security

Implement security best practices early using linters in your IDE, integrate automated checks into CI/CD pipelines, and create standardized custom policies for your organization.

Related jobs
Jobs that call for the skills explored in this talk.

test

Milly

Milly
Vienna, Austria

Intermediate
.NET
TypeScript
+1

test

Milly

Milly
Vienna, Austria

Intermediate
.NET
TypeScript
+1

Matching moments

Securing container images against common vulnerabilities
02:30 MIN

Securing container images against common vulnerabilities

Kubernetes Security Best Practices

Using containers to improve security and deployment
02:35 MIN

Using containers to improve security and deployment

DevSecOps: Security in DevOps

Securing containers and infrastructure as code (IAC)
07:59 MIN

Securing containers and infrastructure as code (IAC)

Maturity assessment for technicians or how I learned to love OWASP SAMM

Security best practices for containers and Kubernetes
06:25 MIN

Security best practices for containers and Kubernetes

Microservices: how to get started with Spring Boot and Kubernetes

Securing container images and the software supply chain
01:52 MIN

Securing container images and the software supply chain

Security Challenges of Breaking A Monolith

Leveraging containerization for improved security posture
01:22 MIN

Leveraging containerization for improved security posture

Kubernetes Security - Challenge and Opportunity

Securing Docker builds and verifying script downloads
04:53 MIN

Securing Docker builds and verifying script downloads

Supply Chain Security and the Real World: Lessons From Incidents

Introducing the Docker Agent for automating the SDLC
02:57 MIN

Introducing the Docker Agent for automating the SDLC

Compose the Future: Building Agentic Applications, Made Simple with Docker

Featured Partners

Related Videos

See all videos
Reusing apps between teams and environments through Containers43:39

Reusing apps between teams and environments through Containers

Adrian Kosmaczewski

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Securing Your Web Application Pipeline From Intruders44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

Turning Container security up to 11 with Capabilities28:47

Turning Container security up to 11 with Capabilities

Mathias Tausig

DevSecOps: Security in DevOps33:20

DevSecOps: Security in DevOps

Aarno Aukia

Securing Secrets in the GitOps era58:57

Securing Secrets in the GitOps era

Alex Soto

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

Security Challenges of Breaking A Monolith45:19

Security Challenges of Breaking A Monolith

Reinhard Kugler

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Building AI Solutions with Rust and Docker
In recent years, artificial intelligence has surged in popularity in the world of development. While Python remains a popular choice in the realm of AI, Rust - often known as Rust Lang - is quickly emerging as a formidable alternative.Rust programmin...
Building AI Solutions with Rust and Docker
CH
Chris Heilmann
Dev Digest 125 - Duck and Cover
This issue was written live at the WeAreDevelopers World Congress in Berlin with us being incredibly busy, but this shouldn't mean you don't get some hot resources. News and ArticlesLet's start with AI news: Google and Microsoft consume more power th...
Dev Digest 125 - Duck and Cover

From learning to earning

Jobs that call for the skills explored in this talk.

Full-Stack Developer

Full-Stack Developer

Friedrich Kicherer GmbH & Co. KG
Ellwangen (Jagst), Germany

Junior
Intermediate
Senior
GIT
Docker
JavaScript