Docker image security

# Docker image security ###### tags: `Document` `Docker` `Security` `Plando` :::info :bulb: **Hint:** You can also see my source in the *[research for this topic](/s/H1K7rBSHU)*. ::: ## Considerations Based on the research we have **collected rules** and **tools** for the docker image composition. Look at this problem now can fell like overthink. But there is no artefact or service already depending on ==falty image==, so fix the security issues is painless. ### Golden rules The most repeated advices for building safe images is to **know** and **choose** a ==trusted source== image. The havy work can and have to be made on base images. Another advice is to have small images, with a single objective. Small image, small number of vulnerabilities. For the trusted source I have elected the ==bitnami== guys. They have small base images, based on a ligth weight version of debian. Also they keep track of security patchs and those stuffs. Our job is to update daily our base images from them. At last enforce trusted source with `Verified docker images` in the docker runtime. When enabled it will throw at any signal of badimages. Is like a lock for the enviroment. Well, with this we can start building images trusting that we are well balanced in risk and resources. And about resources we have tools at our disposal that can help us, some tools are from our friends *bitnami*. ### Tools We have to choose tools to do some process in our workflow. - validate the docker file - build images - scan for vulnerabilies The build has to be quickly and cache eficient for this we have the ==[buildkit](https://github.com/moby/buildkit)==. For scan images we have [clair](https://coreos.com/clair/docs/latest/) and the [docker bench security](https://github.com/docker/docker-bench-security). The importance of this is to check if any of our own layers on docker file have open any security breach. Scan is a post morten action, for preventive action we can rely on docker linters: - Atom: [linter-docker](https://github.com/AtomLinter/linter-docker) - Eclipse: [Docker Editor](https://marketplace.eclipse.org/content/docker-editor) - Visual Studio: [Docker Linter](https://marketplace.visualstudio.com/items?itemName=henriiik.docker-linter) ### Diagram for the security scan step it can and will be improved upon ```flow st=>start: BaseImage e=>end: Deploy op1=>operation: write DockerFile op2=>operation: Stuff|current sub1=>subroutine: List Errors cond=>condition: Linter Approved? c2=>condition: Build? io=>inputoutput: scan vulnerabilities st->op1(right)->cond cond(yes, right)->c2 cond(no)->sub1(left)->op1 c2(yes)->io->e c2(no)->op1 ```