Docker Security Best Practices for Production

Introduction

Docker containers add isolation, but security requires deliberate hardening. Here are the essentials for production.

Run as Non-Root

dockerfile

1FROM node:20-alpine
2RUN addgroup -g 1001 appgroup &&     adduser -u 1001 -G appgroup -D appuser
3WORKDIR /app
4COPY --chown=appuser:appgroup . .
5USER appuser
6CMD ["node", "server.js"]

Minimal Images and Pinned Versions

Prefer slim or distroless bases
Pin image tags or digests

Scan Images

bash

1trivy image myapp:latest
2docker scout cves myapp:latest

Resource Limits

yaml

1services:
2  app:
3    image: myapp:latest
4    deploy:
5      resources:
6        limits:
7          cpus: "0.5"
8          memory: 512M

Read-Only Filesystem

bash

1docker run --read-only --tmpfs /tmp myapp:latest

Runtime Hardening

Enable seccomp/apparmor profiles
Drop Linux capabilities
Mount secrets read-only

Conclusion

Secure the host, harden containers, then continuously scan and monitor.

Docker

Trivy

Linux

Security

Written by

Corentin Tujague

Network & Security Engineer

Passionate about building secure, scalable infrastructure and sharing technical knowledge.