Container & Docker Security

What is Container Security?

Container security encompasses the protection of containerized applications throughout their lifecycle — from base image selection and build process to runtime deployment and orchestration. Vulnerabilities in container images, misconfigurations in orchestration, and supply chain risks in registries are primary concerns.

How Does it Work?

Container images are built from base images (often Debian, Alpine, Ubuntu) that may contain known CVEs. Applications add their own dependencies, each potentially vulnerable. Misconfigurations in Docker (privileged containers, exposed APIs) and Kubernetes (overpermissive RBAC, insecure defaults) create additional attack surface.

# VULNERABLE Dockerfile
FROM ubuntu:latest          # Unversioned, large attack surface
RUN apt-get update && apt-get install -y curl wget
COPY . /app
USER root                   # Running as root!
EXPOSE 8080
CMD ["node", "server.js"]

# SECURE Dockerfile
FROM node:20-alpine AS builder    # Minimal base, pinned version
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY . .

FROM gcr.io/distroless/nodejs20  # Distroless for production
COPY --from=builder /app /app
USER nonroot:nonroot              # Non-root user
EXPOSE 8080
CMD ["server.js"]

# VULNERABLE Kubernetes Pod
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: app
    securityContext:
      privileged: true        # Container escape risk!
      runAsRoot: true

# SECURE Kubernetes Pod
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: app
    securityContext:
      privileged: false
      runAsNonRoot: true
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false

Real-World Examples

Docker Hub has hosted malicious images that mine cryptocurrency. The Tesla Kubernetes cluster was compromised through an exposed dashboard. Container escape vulnerabilities (CVE-2024-21626) allow attackers to break out of containers to the host.

Security Impact

Container vulnerabilities enable lateral movement across microservices, access to secrets stored in orchestration platforms, container escape to host systems, and supply chain compromise through tampered base images.

Prevention & Mitigation

Use minimal base images (distroless, scratch). Scan images in CI/CD pipelines. Run containers as non-root. Apply network policies in Kubernetes. Use pod security standards. Implement image signing and verification. Monitor runtime behavior.

How Precogs AI Stops Container Security Issues

Precogs AI scans container images for vulnerabilities in base images and application dependencies, identifies hardcoded secrets in Dockerfiles and configuration, and detects misconfigurations in Kubernetes manifests through IaC analysis.