OWASP Docker Security Cheat Sheet

Just found this, it’s a must read for everyone connecting containers to the Internet.

The aim of this cheat sheet is to provide an easy to use list of common security mistakes and good practices that will help you secure your Docker containers.

  1. Keep Host and Docker up to date
  2. Do not expose the Docker daemon socket (even to the containers)
  3. Set a user
  4. Limit capabilities (Grant only specific capabilities, needed by a container)
  5. Add –no-new-privileges flag
  6. Disable inter-container communication (–icc=false)
  7. Use Linux Security Module (seccomp, AppArmor, or SELinux)
  8. Limit resources (memory, CPU, file descriptors, processes, restarts)
  9. Set filesystem and volumes to read-only
  10. Use static analysis tools
  11. Set the logging level to at least INFO
  12. Lint the Dockerfile at build time

Source: Docker Security - OWASP Cheat Sheet Series


Thank you for sharing it! I think it fits into Tips & HowTos so I moved the topic to that category.