# Docker

# Security checklist

  • Use specific version number of image instead of :latest.
  • Prefer to use official (hub.docker.com/_/) images or build on our Gitlab. If you really need 3rd party image, check it and scan witthrough Trivy, then specify sha256: signature of the image.
  • Use multi-stage build (opens new window) to decrease the image size.
  • Make /etc read-only:
RUN chmod a-w /etc
  • Run the app in the container as a user instead of root:
RUN groupadd -r app && useradd --no-log-init -r -g app app.
USER app
  • Delete shell:
RUN rm -rf /bin/*