🎁 New User? Get 20% off your first purchase with code NEWUSER20 Register Now →
Menu

Categories

Security & Hardening

Docker Container Security: Scanning, Hardening, and Runtime Protection

Dargslan Team | April 12, 2026 | 5 min read | 3 views
devops docker security
Docker Container Security: Scanning, Hardening, and Runtime Protection

Running containers in production without security hardening is like leaving your front door open. This guide covers the full container security lifecycle — from building secure images to runtime protection.

Image Scanning

# Trivy (most popular, free)
trivy image myapp:latest
trivy image --severity HIGH,CRITICAL myapp:latest
trivy image --exit-code 1 myapp:latest    # Fail CI on vulnerabilities

# Docker Scout (built-in)
docker scout cves myapp:latest
docker scout quickview myapp:latest

# Snyk
snyk container test myapp:latest

Dockerfile Hardening

# Use minimal base image
FROM node:20-alpine    # NOT node:20 (500MB smaller)

# Pin versions
FROM node:20.11.1-alpine3.19

# Non-root user
RUN addgroup -S app && adduser -S app -G app
USER app

# Read-only filesystem
# Run with: docker run --read-only --tmpfs /tmp myapp

# No new privileges
# Run with: docker run --security-opt=no-new-privileges myapp

# Drop capabilities
# Run with: docker run --cap-drop ALL --cap-add NET_BIND_SERVICE myapp

# Health check
HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost:3000/health || exit 1

Runtime Security Flags

# Production-secure container run
docker run -d \
    --name myapp \
    --read-only \
    --tmpfs /tmp:rw,noexec,nosuid \
    --security-opt=no-new-privileges:true \
    --cap-drop ALL \
    --cap-add NET_BIND_SERVICE \
    --memory 512m \
    --cpus 1.0 \
    --pids-limit 100 \
    --restart unless-stopped \
    --user 1000:1000 \
    myapp:latest

Docker Compose Security

services:
  app:
    image: myapp:latest
    read_only: true
    tmpfs:
      - /tmp:rw,noexec,nosuid
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '1.0'
    user: "1000:1000"

📘 Docker Security Deep Dive

Our cybersecurity eBooks cover container security, image hardening, and Kubernetes security in depth.

Browse Security Books →

Security Checklist

  1. Scan images in CI/CD pipeline (fail on CRITICAL)
  2. Use minimal base images (alpine, distroless, scratch)
  3. Run as non-root user
  4. Drop all capabilities, add only what's needed
  5. Use read-only root filesystem
  6. Set resource limits (memory, CPU, PIDs)
  7. Never store secrets in images (use Docker secrets or env)
  8. Keep images updated (rebuild weekly)
  9. Use multi-stage builds to minimize attack surface
  10. Enable Docker Content Trust for image signing
Share this article:
Dargslan Editorial Team (Dargslan)
About the Author

Dargslan Editorial Team (Dargslan)

Collective of Software Developers, System Administrators, DevOps Engineers, and IT Authors

Dargslan is an independent technology publishing collective formed by experienced software developers, system administrators, and IT specialists.

The Dargslan editorial team works collaboratively to create practical, hands-on technology books focused on real-world use cases. Each publication is developed, reviewed, and...

Programming Languages Linux Administration Web Development Cybersecurity Networking
View all books

Related Articles

Stay Updated

Subscribe to our newsletter for the latest tutorials, tips, and exclusive offers.