Container Security
๐ฅ Vibe Prompt
"Set up container security: scan images, enforce policies, runtime security."
Image Scanning
# Dockerfile best practices
FROM python:3.12-slim # Use slim/alpine, not full
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
&& rm -rf /var/lib/apt/lists/* # Clean apt cache
COPY --chown=1000:1000 app.py . # Don't run as root
USER 1000 # Non-root user
HEALTHCHECK --interval=30s CMD curl -f http://localhost:8000/health || exit 1
Trivy Scanner
# Scan local image
trivy image myapp:latest
# Scan in CI
on: push
jobs:
scan:
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t myapp:latest .
- name: Trivy scan
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:latest
format: sarif
output: trivy-results.sarif
- name: Upload results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
Trivy Output
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโ
โ Library โ Vulnerability โ Severity โ Fixed Version โ
โโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโค
โ libcurl4 (deb) โ CVE-2024-1234 โ CRITICAL โ 7.88.1-10+deb12u5 โ
โ openssl (deb) โ CVE-2024-5678 โ HIGH โ 3.0.11-1~deb12u2 โ
โ python3.12 (deb) โ CVE-2024-9012 โ MEDIUM โ 3.12.2-1 โ
โโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโ
Kyverno Policies (K8s)
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-non-root
spec:
validationFailureAction: Enforce
rules:
- name: check-run-as-non-root
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "Containers must not run as root"
pattern:
spec:
securityContext:
runAsNonRoot: true
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-latest-tag
spec:
validationFailureAction: Enforce
rules:
- name: require-image-tag
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "Image tag 'latest' is not allowed"
pattern:
spec:
containers:
- image: "!*:latest"
Runtime Security (Falco)
# Falco rule: shell in container
- rule: Terminal shell in container
desc: "Detect shell execution inside container"
condition: >
spawned_process and container and
(proc.name = bash or proc.name = sh or proc.name = zsh)
output: >
Shell opened in container (user=%user.name container=%container.info shell=%proc.name)
priority: WARNING
Container Security Checklist
| Layer | Tool | What it checks | |-------|------|---------------| | Dockerfile | Hadolint | Best practices, security | | Image | Trivy | Known CVEs | | Registry | ECR scanning | Automatic scan on push | | K8s admission | Kyverno | Enforce policies | | Runtime | Falco | Behavioral anomalies | | Network | Cilium | Zero-trust network |
Best Practices
- Use minimal base images (slim, alpine, distroless)
- Run as non-root user
- Scan images before every deployment
- Pin base image versions (no
:latest) - Use multi-stage builds
- Enable ECR scanning (continuous)
- Implement K8s pod security standards
- Monitor runtime with Falco
- Use read-only root filesystem
- Set resource limits (CPU, memory)