Container Security Hardening Cheat Sheet
Dockerfile hardening, image scanning, runtime restrictions, and Kubernetes security contexts to reduce container attack surface.
3 PagesAdvancedApr 8, 2026
Hardened Dockerfile
Non-root user, pinned base image, minimal surface, no build tools in final image.
dockerfile
FROM node:20.15-slim AS buildWORKDIR /appCOPY package*.json ./RUN npm ci --omit=devCOPY . .RUN npm run buildFROM gcr.io/distroless/nodejs20-debian12WORKDIR /appCOPY --from=build /app/dist ./distCOPY --from=build /app/node_modules ./node_modulesUSER 1000:1000EXPOSE 8080ENTRYPOINT ["dist/server.js"]
Scan Images in CI
Fail the build on high/critical CVEs using Trivy.
bash
trivy image --severity HIGH,CRITICAL --exit-code 1 \ --ignore-unfixed my-registry/my-app:${GIT_SHA}# Scan the Dockerfile itself for misconfigurationstrivy config .
Kubernetes Security Context
Pod-level restrictions that block common privilege-escalation paths.
yaml
apiVersion: v1kind: Podmetadata: name: webspec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: - name: web image: my-registry/my-app:1.4.0 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: ["ALL"]
Hardening Checklist
The highest-leverage controls across build, image, and runtime.
- Pin base images- use digests or exact tags, never `latest`
- Multi-stage builds- keep compilers/build tools out of the runtime image
- Non-root user- set USER in the Dockerfile and runAsNonRoot in Kubernetes
- Read-only root FS- mount writable paths explicitly via emptyDir/volumes only
- Drop capabilities- `drop: ["ALL"]` and add back only what's required
- Signed images- sign with cosign and verify at admission (e.g. Kyverno/Sigstore policy)
- Network policies- default-deny, allow only required pod-to-pod traffic
Pro Tip
Scan both the image AND the running cluster — a clean image at build time can still be vulnerable a week later when a new CVE is disclosed for a package already baked in, so pair CI scanning with a runtime scanner like Trivy Operator or an admission-controller policy that blocks known-bad digests.
Was this cheat sheet helpful?
Explore Topics
#ContainerSecurityHardening#ContainerSecurityHardeningCheatSheet#Cybersecurity#Advanced#HardenedDockerfile#ScanImagesInCI#KubernetesSecurityContext#HardeningChecklist#Security#Docker#Kubernetes#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance