100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Container Security Hardening Cheat Sheet

Container Security Hardening Cheat Sheet

Dockerfile hardening, image scanning, runtime restrictions, and Kubernetes security contexts to reduce container attack surface.

3 PagesAdvancedApr 8, 2026

Hardened Dockerfile

Non-root user, pinned base image, minimal surface, no build tools in final image.

dockerfile
FROM node:20.15-slim AS buildWORKDIR /appCOPY package*.json ./RUN npm ci --omit=devCOPY . .RUN npm run buildFROM gcr.io/distroless/nodejs20-debian12WORKDIR /appCOPY --from=build /app/dist ./distCOPY --from=build /app/node_modules ./node_modulesUSER 1000:1000EXPOSE 8080ENTRYPOINT ["dist/server.js"]

Scan Images in CI

Fail the build on high/critical CVEs using Trivy.

bash
trivy image --severity HIGH,CRITICAL --exit-code 1 \  --ignore-unfixed my-registry/my-app:${GIT_SHA}# Scan the Dockerfile itself for misconfigurationstrivy config .

Kubernetes Security Context

Pod-level restrictions that block common privilege-escalation paths.

yaml
apiVersion: v1kind: Podmetadata:  name: webspec:  securityContext:    runAsNonRoot: true    runAsUser: 1000    fsGroup: 2000    seccompProfile:      type: RuntimeDefault  containers:    - name: web      image: my-registry/my-app:1.4.0      securityContext:        allowPrivilegeEscalation: false        readOnlyRootFilesystem: true        capabilities:          drop: ["ALL"]

Hardening Checklist

The highest-leverage controls across build, image, and runtime.

  • Pin base images- use digests or exact tags, never `latest`
  • Multi-stage builds- keep compilers/build tools out of the runtime image
  • Non-root user- set USER in the Dockerfile and runAsNonRoot in Kubernetes
  • Read-only root FS- mount writable paths explicitly via emptyDir/volumes only
  • Drop capabilities- `drop: ["ALL"]` and add back only what's required
  • Signed images- sign with cosign and verify at admission (e.g. Kyverno/Sigstore policy)
  • Network policies- default-deny, allow only required pod-to-pod traffic
Pro Tip

Scan both the image AND the running cluster — a clean image at build time can still be vulnerable a week later when a new CVE is disclosed for a package already baked in, so pair CI scanning with a runtime scanner like Trivy Operator or an admission-controller policy that blocks known-bad digests.

Was this cheat sheet helpful?

Explore Topics

#ContainerSecurityHardening#ContainerSecurityHardeningCheatSheet#Cybersecurity#Advanced#HardenedDockerfile#ScanImagesInCI#KubernetesSecurityContext#HardeningChecklist#Security#Docker#Kubernetes#CheatSheet#SkillVeris