-
Use official images: Start with official base images from trusted sources, like the ones provided by the software vendor or Docker Hub. These images have been tested, optimized, and secured by the community.
-
Use a specific version: Specify an exact version for your base images to ensure consistency and avoid unexpected changes that can occur with the
latesttag.Example:
FROM node:14.17.6 -
Minimize layers: Each instruction in a Dockerfile creates a new layer in the image. Minimize the number of layers by combining related instructions.
Example: Instead of:
RUN apt-get update RUN apt-get install -y curlDo:
RUN apt-get update && \ apt-get install -y curl -
Use multi-stage builds: Multi-stage builds allow you to use multiple
FROMinstructions in a single Dockerfile. This can help reduce the final image size by only including the necessary files and dependencies.Example:
# Build stage FROM node:14.17.6 AS build WORKDIR /app COPY package*.json ./ RUN npm install COPY . . RUN npm run build # Production stage FROM node:14.17.6-alpine WORKDIR /app COPY --from=build /app/dist /app/dist CMD ["npm", "start"] -
Remove unnecessary files: Use a
.dockerignorefile to exclude files and directories that are not required for your application. This can help reduce the size of your images and prevent the accidental inclusion of sensitive data. -
Properly set permissions: Avoid running your application as the root user within the container. Instead, create a dedicated user and group for your application and set the proper permissions.
Example:
RUN groupadd -r myuser && useradd -r -g myuser myuser USER myuser
-
Use lightweight base images: Consider using lightweight base images like Alpine Linux for your applications. These images are smaller and have fewer components, which can help reduce the attack surface.
Example:
FROM node:14.17.6-alpine -
Remove unnecessary packages and dependencies: Only install the packages and dependencies that are required for your application. Remove any temporary files or build dependencies after they are no longer needed.
Example:
RUN apt-get update && \ apt-get install -y --no-install-recommends build-essential python && \ npm install && \ apt-get purge -y --auto-remove build-essential python && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* -
Compress layers: Use the
--squashflag when building your images to merge all layers into a single one. This can help reduce the final image size.Example:
docker build --squash -t my-image .
-
Avoid hardcoding secrets: Do not include secrets or sensitive data in your Dockerfile or source code. Instead, use environment variables or other external methods to provide this information at runtime.
-
Use Docker secrets: For Docker Swarm environments, use Docker secrets to securely store and manage sensitive data. Secrets are encrypted and can be accessed by services running in the swarm.
Example:
# Create a Docker secret echo "mypassword" | docker secret create my_secret - # Use the secret in a service docker service create \ --name my-service \ --secret my_secret \ my-image -
Use third-party secret management tools: For more advanced secret management, consider using third-party tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault. These tools provide additional features like dynamic secrets, access control, and auditing.
-
Use build-time secrets: If you need to use secrets during the build process, consider using build-time secrets with Docker BuildKit. This allows you to securely provide secrets during the build without storing them in the final image.
Example:
# Enable BuildKit export DOCKER_BUILDKIT=1 # Build with a secret echo "mypassword" | docker build --secret id=my_secret,src=- -t my-image .In your Dockerfile:
# syntax=docker/dockerfile:1.0-experimental FROM node:14.17.6 RUN --mount=type=secret,id=my_secret echo "The secret is: $(cat /run/secrets/my_secret)"