Its really easy to take you app, put it in a container and call it a day. But there is more work needed to make sure it's secure. But what?
- Check your FROM. Do you know what you're really building from?
- Stay up to date
- Keep it minimal. What does your app really need?
- Don't run as root!
- Check you've done your job right.
Check your FROM
When choosing an image to build off, make sure you choose something you trust!
Simply searching https://hub.docker.com/ for something like "node" in docker hub can find thousands of community made docker images for NodeJS apps.
BUT WAIT! Do we really know exactly what is running in those images? There could be malware, bitcoin miners and other unwanted code running in your containers if you built from these community images.
Something else to think about is support, some of these images haven't been updated in years! That means no security fixes at all for anything in the image. No OS fixes, no NodeJS fixes etc.
There's an easy way to fix all these problems, and that is to either use an official image or to make your own. To find an official image simply filter by "Official Images"
And there we go! The official NodeJS image, last updated 21 minutes ago! Since this is official, we can be pretty sure that there is nothing malicious running in this image and can rest assured that every time we build our Docker image, we're going to get the latest vulnerability fixes.
Stay up to date
When installing software in your docker images, make sure to not stop yourself receiving security patches. Lets look at an example:
FROM ubuntu:zesty RUN apt-get update && apt-get install nginx=1.80.3 ...
The above DockerFile works fine, but uses an old version of Ubuntu and will never upgrade NGINX. Its important to think hard and make conscious decisions when deciding what software to use. Does your app really not work with later versions of Ubuntu? Does your site really not work with later versions of NGINX?
How can we improve?
FROM ubuntu RUN apt-get update && apt-get install nginx ...
Just simply remove the strict versioning we had before! Now every time we build this Docker image, we'll be right up to date with every security patch available.
Keep it minimal
This ones simple, only install what you actually need! The more software in your image, the more potential security holes there are.
FROM node:alpine RUN apk add curl git htop zip unzip COPY app/ /opt/app ...
Does your app actually need curl? What about git? These tools seem harmless to have in your container but they can be very dangerous if your application was ever exploited.
Lets say you need unzip for putting files into your image with something like this:
COPY resources.zip /opt/ WORKDIR /opt/ RUN unzip resources.zip
If that's the only reason you needed unzip you should then uninstall the software after you've used it. This leads to a slightly larger Docker image but also a more secure Docker image.
Don't run as root!
Make sure to set the user your Docker container will run as using the USER declaration:
FROM node # Copy in code COPY app.js app.js # Create a new user called "myuser" and become them. RUN adduser myuser USER myuser CMD node app.js
The above example makes sure that even if an attacker got code execution in your app, they would still have limited access.
Check you've done your job right.
You're going to want to scan your finished Docker image for security vulnerabilities. That's where a tool like Phonito Security comes in!
phonito-scanner tool we can scan our newly built Docker image and check for any known vulnerabilities in the OS and software we've included from a huge database of thousands of aissues. Here's an example of scanning a container from the command line:
We can then also see reports from our scanned images from the dashboard with any vulnerabilities in the container as well as seeing all the software installed.
There's more to a Docker image than just having your app running, security has to be part of the design from the start. But it doesn't have to be difficult!
By following some simple rules and making sure you have the right reporting tools you can run vulnerability free and sleep easy at night.
Any feedback? Hit me up on our Slack! Or email me at firstname.lastname@example.org