I’ve installed a docker container locally via a compose file and things seem to work fairly well.
Now, it would be great to have this setup on a VPS somewhere online.
How can I check the docker engine, docker compose and container for security?
That’s the one I’m talking about: Docker Compose | n8n Docs
How can I keep the setup secure over the coming months / years?
Use tools like Docker Scout or Trivy to detect known vulnerabilities in container images
Furthermore, you can use the Open Policy Agent for access control. It allows per identity restrictions of the docker api usage. Note: this one might be tough to learn.
I’ve just tried trivy. Does this work with docker-compose.yml as well?
ls -lah
total 16K
drwxrwxr-x 2 tp tp 4,0K Jan 10 08:15 .
drwxrwxr-x 8 tp tp 4,0K Jan 10 06:32 ..
-rw-rw-r-- 1 tp tp 2,3K Jan 10 08:15 docker-compose.yml
-rw-rw-r-- 1 tp tp 471 Jan 10 06:36 .env
#:~/Software/Docker/n8n$ trivy fs --scanners vuln,secret,misconfig ./
2025-01-10T09:43:41+01:00 INFO Need to update DB
2025-01-10T09:43:41+01:00 INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
58.40 MiB / 58.40 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 5.11 MiB p/s 12s
2025-01-10T09:43:54+01:00 INFO Vulnerability scanning is enabled
2025-01-10T09:43:54+01:00 INFO Misconfiguration scanning is enabled
2025-01-10T09:43:54+01:00 INFO Need to update the built-in policies
2025-01-10T09:43:54+01:00 INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [----------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2025-01-10T09:43:55+01:00 INFO Secret scanning is enabled
2025-01-10T09:43:55+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-10T09:43:55+01:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2025-01-10T09:43:55+01:00 INFO Number of language-specific files num=0
2025-01-10T09:43:55+01:00 INFO Detected config files num=0