DevSecOps Docker Masterclass

Docker Architecture & Concepts

Understand the engine under the hood. You cannot secure what you do not understand.

Containers vs. Virtual Machines

VMs virtualize hardware via a Hypervisor. Containers virtualize the Operating System. Containers share the host OS kernel. This makes them fast, lightweight, and portable.

Virtual Machine

App 1
Bins/Libs
Guest OS

App 2
Bins/Libs
Guest OS

Hypervisor

Host OS

VS

Docker Container

App 1
Bins/Libs

App 2
Bins/Libs

Docker Engine

Host OS

DevSecOps: Hardening Docker

Out-of-the-box Docker is insecure. Apply these baseline rules.

1. Never Run as Root

Processes run as root by default. Create a restricted user in your Dockerfile.

RUN useradd -ms /bin/bash appuser
USER appuser

2. Image Scanning

Integrate Trivy or Snyk into your CI/CD pipeline. Block builds with Critical CVEs.

trivy image myapp:latest --severity CRITICAL

3. Drop Capabilities

Drop all Linux capabilities. Add back only what the process requires.

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE app

4. Read-Only Filesystem

Prevent attackers from installing malware inside the running container.

docker run --read-only --tmpfs /tmp app

The Docker Sock Vulnerability

Do not bind mount /var/run/docker.sock into a container. Anyone with access to that socket executes commands as root on the host machine.

docker run -v /var/run/docker.sock:/var/run/docker.sock # DANGEROUS

Compose Anatomy

Docker Compose orchestrates multi-container applications.

docker-compose.yml

Copied!

version: '3.8'
services:
  api:
    build: ./api
    environment:
      - DB_HOST=db
      - DB_USER=${DB_USER}  # Use .env files for secrets
    networks:
      - backend
    depends_on:
      - db
  db:
    image: postgres:14
    volumes:
      - db-data:/var/lib/postgresql/data
    networks:
      - backend
volumes:
  db-data:
networks:
  backend:

CLI Command Dictionary

Search the complete Docker command syntax library.