Madhu Akula

A practical guide to writing secure Dockerfiles

Your Dockerfile is a critical form of infrastructure as code. Learn to write secure, minimal images and automate security checks before deployment.

A practical guide to writing secure Dockerfiles
#1about 2 minutes

Why Dockerfile security is a critical foundation

Dockerfiles act as the blueprint for container images, making their security essential for preventing supply chain attacks and infrastructure compromise.

#2about 5 minutes

Following official Docker best practices for images

Start with small base images, use multi-stage builds, and manage the build context with a .dockerignore file to create efficient and secure containers.

#3about 4 minutes

Advanced security practices for hardening Dockerfiles

Enhance security by running containers as a non-root user, using COPY instead of ADD, avoiding hardcoded secrets, and pulling from trusted image registries.

#4about 4 minutes

Using Docker BuildKit to handle secrets securely

Docker's BuildKit allows mounting secrets and forwarding SSH agents during the build process, preventing sensitive credentials from being stored in image layers.

#5about 5 minutes

Automating checks with linters like Hadolint and Dockle

Use automated linters like Hadolint for best practices and Dockle for CIS benchmark compliance to enforce security standards in your CI/CD pipeline.

#6about 2 minutes

Reducing attack surface with Docker-slim

Docker-slim minifies container images by removing unnecessary files and can automatically generate seccomp and AppArmor profiles to harden runtime security.

#7about 3 minutes

Analyzing image layers for security with Dive

The Dive tool provides a layer-by-layer inspection of a Docker image, helping to identify inefficiencies and potential security risks like backdoors.

#8about 4 minutes

Introducing Open Policy Agent for custom policies

Open Policy Agent (OPA) and its language Rego provide a general-purpose engine for enforcing custom, organization-specific security policies on structured data like Dockerfiles.

#9about 6 minutes

Writing custom Dockerfile policies with Conftest

Leverage Conftest to write and apply custom Rego policies that validate Dockerfiles against specific organizational rules, such as only allowing images from a trusted private registry.

#10about 2 minutes

Next steps for implementing Dockerfile security

Implement security best practices early using linters in your IDE, integrate automated checks into CI/CD pipelines, and create standardized custom policies for your organization.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Using containers to improve security and deployment
13:51 MIN

Using containers to improve security and deployment

DevSecOps: Security in DevOps

Security best practices for containers and Kubernetes
56:21 MIN

Security best practices for containers and Kubernetes

Microservices: how to get started with Spring Boot and Kubernetes

Hardening the CI/CD pipeline with automated security tools
11:13 MIN

Hardening the CI/CD pipeline with automated security tools

You can’t hack what you can’t see

Securing container images against common vulnerabilities
06:30 MIN

Securing container images against common vulnerabilities

Kubernetes Security Best Practices

Securing containers and infrastructure as code (IAC)
1:13:05 MIN

Securing containers and infrastructure as code (IAC)

Maturity assessment for technicians or how I learned to love OWASP SAMM

Improving security and performance with small container images
18:43 MIN

Improving security and performance with small container images

5 steps for running a Kubernetes environment at scale

Securing container images and the software supply chain
09:22 MIN

Securing container images and the software supply chain

Security Challenges of Breaking A Monolith

Leveraging containerization for improved security posture
38:31 MIN

Leveraging containerization for improved security posture

Kubernetes Security - Challenge and Opportunity

Featured Partners

Related Videos

See all videos
Securing Your Web Application Pipeline From Intruders44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Turning Container security up to 11 with Capabilities28:47

Turning Container security up to 11 with Capabilities

Mathias Tausig

DevSecOps: Security in DevOps33:20

DevSecOps: Security in DevOps

Aarno Aukia

Reusing apps between teams and environments through Containers43:39

Reusing apps between teams and environments through Containers

Adrian Kosmaczewski

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

Compose the Future: Building Agentic Applications, Made Simple with Docker50:09

Compose the Future: Building Agentic Applications, Made Simple with Docker

Mark Cavage, Tushar Jain, Jim Clark & Yunong Xiao

Securing secrets in the GitOps Era58:52

Securing secrets in the GitOps Era

Davide Imola

Related Articles

View all articles
AG
Andre Braun, GitLab
Now is the time for industrialized software development
Now is the time for industrialized software development Recently, I received a letter from my car’s manufacturer alerting me to a recall. They had discovered a defective part and wanted to replace it. It was easily fixed, and I might have forgotten a...
Now is the time for industrialized software development
DC
Daniel Cranney
Dev Digest 194: AI vs. Version Control, Password Louvre & Cursed Webdev
Inside last week’s Dev Digest 194 . 🧠 Learn how to become an AI-native software engineer 🤷‍♂️ How can you stand out when anyone can build anything? 👂 Whisper Leak allows listening to encrypted chats 🐝 What’s new the OWASP2025 Top Ten List 🙅‍♀️ Curse...
Dev Digest 194: AI vs. Version Control, Password Louvre & Cursed Webdev
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Building AI Solutions with Rust and Docker
In recent years, artificial intelligence has surged in popularity in the world of development. While Python remains a popular choice in the realm of AI, Rust - often known as Rust Lang - is quickly emerging as a formidable alternative.Rust programmin...
Building AI Solutions with Rust and Docker

From learning to earning

Jobs that call for the skills explored in this talk.

DevOps

DevOps

UnderDefense

Remote
Bash
Azure
React
Kafka
+16
DevSecOps Engineer

DevSecOps Engineer

Accenture
Municipality of Bilbao, Spain

API
Scrum
DevOps
Docker
Kubernetes
+1
DevSecOps Engineer

DevSecOps Engineer

Accenture
Municipality of Madrid, Spain

API
Scrum
DevOps
Docker
Kubernetes
+1