Container Security Best Practices

1. Use Minimal, Trusted Base Images

Choose official or verified images from trusted registries.

Prefer distroless, Alpine, or minimal OS images to reduce attack surface.

Pin images to a specific version/tag, not latest.

Good example:

FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine

2. Regularly Scan Images for Vulnerabilities

Integrate vulnerability scanning into CI/CD:

Trivy

Anchore

Clair

Snyk

Docker Scout

Scan at:

Build time

Push time

Deployment time

3. Don’t Run Containers as Root

Running as root in a container can let attackers escalate privileges.

Dockerfile example:

RUN adduser -D appuser

USER appuser

On Kubernetes, enforce:

securityContext:

  runAsNonRoot: true

  runAsUser: 1000

4. Use Multi-Stage Builds

Reduces build dependencies in final image.

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build

...

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS runtime

COPY --from=build /app/out .

This removes compilers and sensitive build tools.

5. Keep Secrets Out of Images

Never store secrets in:

Images

Environment variables

Git repositories

Use:

Kubernetes Secrets

HashiCorp Vault

Azure Key Vault

AWS Secrets Manager

Example (Kubernetes):

envFrom:

  - secretRef:

      name: db-secrets

6. Use Read-Only Filesystems

Prevent attackers from modifying the container FS.

securityContext:

  readOnlyRootFilesystem: true

7. Limit Container Capabilities

Drop unnecessary Linux capabilities.

securityContext:

  capabilities:

    drop: ["ALL"]

Add only what’s required.

8. Apply Resource Limits

Controls abuse and DoS attacks.

resources:

  limits:

    cpu: "500m"

    memory: "256Mi"

9. Use Network Policies

Limit pod-to-pod communication (zero trust networking).

Example (K8s deny-all):

policyTypes:

- Ingress

- Egress

Then explicitly allow needed traffic.

10. Regularly Update and Rebuild Images

Patch the base image

Rebuild application images

Automate rebuilds via CI/CD

Many vulnerabilities come from outdated dependencies.

11. Use Signed Images and Image Provenance

Enable:

Docker Content Trust (Notary)

Sigstore Cosign

Kubernetes admission controllers to block unsigned images

Example:

cosign sign myapp:v1

cosign verify myapp:v1

12. Enforce Admission Control Policies (K8s)

Use:

OPA Gatekeeper

Kyverno

Validating Admission Webhooks

Policies enforce:

No root containers

Signed images only

Required resource limits

Required labels

13. Isolate Containers with Sandboxed Runtimes

For high-security workloads use:

gVisor

Kata Containers

Firecracker

These drastically reduce breakout risk.

14. Disable Privileged Containers

Never run:

securityContext:

  privileged: true

Or allow:

hostPID

hostNetwork

hostIPC

Unless required for infrastructure components.

15. Monitor Runtime Behavior

Use runtime threat detection tools:

Falco

Aqua Security

Datadog Runtime Security

Sysdig Secure

Alert on:

Unexpected process execution

File modifications

Privilege escalation

Suspicious networking behavior

16. Protect the Container Registry

Secure your image registry via:

Private registries (Azure, AWS, GCP, Harbor, GitHub)

RBAC (restrict push/pull privileges)

Mandatory image scanning

Signed images enforcement

17. Use Pod Security Standards (PSS) or PSPs (Legacy)

Set namespace-level controls:

Baseline

Restricted

Example:

pod-security.kubernetes.io/enforce: restricted

18. Secure Supply Chain

Use tools like:

SLSA (Supply Chain Levels for Software Artifacts)

SBOMs (Software Bill of Materials)

CycloneDX / SPDX

Auto-generate SBOMs in CI:

syft myapp:latest

🧩 Summary Cheat Sheet

Category Best Practices

Images Minimal base images, version pinning, no secrets, scanning

Runtime Non-root, no privilege escalation, read-only FS

Network Zero trust (NetworkPolicies), encrypted traffic

Platform Limits, quotas, RBAC, secure registries

Kubernetes PSS, OPA/Kyverno policies, signed images

Monitoring Falco, eBPF, audit logs, anomaly detection

Supply Chain SBOM, SLSA, Cosign signing, CI scanning

Learn DevOps Training in Hyderabad

Read More

Compliance as Code in DevOps

Automated Security Testing in DevOps

Shift Left Security: What It Means

Threat Modeling in DevSecOps

Visit Our Quality Thought Institute in Hyderabad

Get Directions 

December 05, 2025

Subscribe by Email

Follow Updates Articles from This Blog via Email