Container Security

๐Ÿ”ฅ Vibe Prompt

"Set up container security: scan images, enforce policies, runtime security."

Image Scanning

# Dockerfile best practices
FROM python:3.12-slim  # Use slim/alpine, not full

RUN apt-get update && apt-get install -y --no-install-recommends \
    curl \
    && rm -rf /var/lib/apt/lists/*  # Clean apt cache

COPY --chown=1000:1000 app.py .  # Don't run as root
USER 1000  # Non-root user

HEALTHCHECK --interval=30s CMD curl -f http://localhost:8000/health || exit 1

Trivy Scanner

# Scan local image
trivy image myapp:latest

# Scan in CI
on: push
jobs:
  scan:
    steps:
      - uses: actions/checkout@v4
      - name: Build image
        run: docker build -t myapp:latest .
      - name: Trivy scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: myapp:latest
          format: sarif
          output: trivy-results.sarif
      - name: Upload results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-results.sarif

Trivy Output

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚     Library        โ”‚ Vulnerability    โ”‚ Severity โ”‚ Fixed Version     โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ libcurl4 (deb)     โ”‚ CVE-2024-1234    โ”‚ CRITICAL โ”‚ 7.88.1-10+deb12u5 โ”‚
โ”‚ openssl (deb)      โ”‚ CVE-2024-5678    โ”‚ HIGH     โ”‚ 3.0.11-1~deb12u2  โ”‚
โ”‚ python3.12 (deb)   โ”‚ CVE-2024-9012    โ”‚ MEDIUM   โ”‚ 3.12.2-1          โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Kyverno Policies (K8s)

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-non-root
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-run-as-non-root
      match:
        any:
          - resources:
              kinds: ["Pod"]
      validate:
        message: "Containers must not run as root"
        pattern:
          spec:
            securityContext:
              runAsNonRoot: true

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: block-latest-tag
spec:
  validationFailureAction: Enforce
  rules:
    - name: require-image-tag
      match:
        any:
          - resources:
              kinds: ["Pod"]
      validate:
        message: "Image tag 'latest' is not allowed"
        pattern:
          spec:
            containers:
              - image: "!*:latest"

Runtime Security (Falco)

# Falco rule: shell in container
- rule: Terminal shell in container
  desc: "Detect shell execution inside container"
  condition: >
    spawned_process and container and
    (proc.name = bash or proc.name = sh or proc.name = zsh)
  output: >
    Shell opened in container (user=%user.name container=%container.info shell=%proc.name)
  priority: WARNING

Container Security Checklist

| Layer | Tool | What it checks | |-------|------|---------------| | Dockerfile | Hadolint | Best practices, security | | Image | Trivy | Known CVEs | | Registry | ECR scanning | Automatic scan on push | | K8s admission | Kyverno | Enforce policies | | Runtime | Falco | Behavioral anomalies | | Network | Cilium | Zero-trust network |

Best Practices

  • Use minimal base images (slim, alpine, distroless)
  • Run as non-root user
  • Scan images before every deployment
  • Pin base image versions (no :latest)
  • Use multi-stage builds
  • Enable ECR scanning (continuous)
  • Implement K8s pod security standards
  • Monitor runtime with Falco
  • Use read-only root filesystem
  • Set resource limits (CPU, memory)

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!