Skip to main content

Overview

Container Securityโ€‹

Welcome to Creating a More Secure Production with Containers - a hands-on workshop covering 8 container security best practices plus a full Docker Hardened Images (DHI) migration, using the catalog-service-node app as the running example.

This workshop is split into two complementary tracks:

TrackApproachWhat it covers
Docker Scout๐Ÿ”„ Reactive - Scan and FixSurface CVEs in existing images, gate them in CI, fix them as they appear
Docker Hardened Images๐Ÿ›ก๏ธ Pro-active - Start SecureBuild on minimal, distroless, attested images with near-zero CVEs from day one

Both approaches matter. Scout helps you understand and remediate what you already run; DHI helps you stop creating the problem in the first place.


The four attack vectors that keep production teams up at nightโ€‹

  1. Image vulnerabilities - known CVEs in OS packages and language dependencies
  2. Supply chain integrity - compromised dependencies, post-install scripts, untrusted base images
  3. Runtime attack surface - shells, package managers, dev tools, and OS utilities that aid attackers
  4. Compliance - FIPS, STIG, license obligations, audit-ready provenance

The 8 best practices below directly address vectors 1, 3, and 4. Scout addresses vector 1 reactively. DHI addresses all four pro-actively.


The 8 Container Security Best Practicesโ€‹

#Best PracticeWhat it addresses
1Start with minimal base imagesLess OS surface = fewer CVEs
2Use multi-stage buildsKeep dev tools out of production
3Run as non-root userLimit blast radius of code execution
4Read-only filesystem + drop capabilitiesStop attackers from writing payloads
5Scan continuously, not just at buildCatch new CVEs as they emerge
6Manage secrets properlyNever bake credentials into images
7No dev tools in productionSmaller attack surface
8No OS tools in productionNo curl, no wget, no payload delivery

Key numbers from the fieldโ€‹

ImageCritical CVEsHigh CVEsPackagesSize
node:18 (where most teams start)2266931.62 GB
node:25-slim (BP#1 applied)02272368 MB
dhi.io/node:24-debian13 (DHI)00~12~50 MB

One FROM line change from node:18 to node:25-slim eliminates 2 critical and 25 high CVEs immediately. Migrating to DHI eliminates all of them, removes 595 packages, and shrinks the image 10x.


The sample applicationโ€‹

Throughout this workshop we use catalog-service-node - a real-world Node.js service with PostgreSQL, Kafka, and S3 dependencies. It ships with a setup script that deliberately introduces a vulnerable state (old base image, downgraded dependencies) so you can experience the full security journey from the bottom up.

Ready to start? Head over to Setup to clone the project and configure your environment.