Container Security 2026
Docker Security
Container Hardening & Security
Rootless, seccomp, AppArmor, Cap-Drop, Image Scanning, CIS Benchmarks. Enterprise-grade Docker security.
RootlessSeccompAppArmorCIS
Docker Security Grundlagen
Container sind keine Sicherheitsgrenzen. Default-Docker ist unsicher - root im Container = root auf dem Host. Hardening ist Pflicht für Production.
Risiken
- • Root im Container
- • Privileged Mode
- • Kernel Exploits
- • Image Vulnerabilities
Schutz
- • Rootless Mode
- • User Namespaces
- • Seccomp Profiles
- • Read-Only FS
Compliance
- • CIS Benchmark
- • DISA STIG
- • NIST 800-190
- • PCI DSS
Rootless Docker
Installation & Setup
# Rootless Docker Installation
curl -fsSL https://get.docker.com/rootless | sh
# Umgebungsvariablen setzen
export PATH=/home/user/bin:$PATH
export DOCKER_HOST=unix:///run/user/1000/docker.sock
# Systemd Service
systemctl --user enable docker
systemctl --user start docker
# Verification
docker info --format '{{ .SecurityOptions }}'Rootless Daemon Config
# ~/.config/docker/daemon.json
{
"userns-remap": "default",
"live-restore": true,
"no-new-privileges": true,
"selinux-enabled": true,
"apparmor-default": "docker-default",
"seccomp-profile": "/etc/docker/seccomp-default.json",
"cgroup-parent": "docker.slice",
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}Hardened Container Runtime
Secure Docker Run
docker run -d \ --name secure-app \ --user 1000:1000 \ --read-only \ --security-opt no-new-privileges:true \ --security-opt seccomp:seccomp-profile.json \ --security-opt apparmor:docker-default \ --cap-drop ALL \ --cap-add NET_BIND_SERVICE \ --memory 512m \ --memory-swap 512m \ --cpus 1.0 \ --pids-limit 100 \ --tmpfs /tmp:noexec,nosuid,size=100m \ --tmpfs /var/tmp:noexec,nosuid,size=100m \ -p 8080:8080 \ company/app:latest
Seccomp Profile
// seccomp-profile.json - Blocks dangerous syscalls
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86"],
"syscalls": [
{
"names": [
"accept", "accept4", "bind", "clone", "close",
"connect", "epoll_create", "epoll_create1"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": ["ptrace", "mount", "umount2", "reboot"],
"action": "SCMP_ACT_KILL"
}
]
}Hardened Dockerfile
Multi-Stage Security Build
# Stage 1: Build FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci --only=production && npm cache clean --force COPY . . RUN npm run build # Stage 2: Production (Distroless) FROM gcr.io/distroless/nodejs20-debian12:nonroot WORKDIR /app # Copy only necessary files COPY --from=builder --chown=nonroot:nonroot /app/dist ./dist COPY --from=builder --chown=nonroot:nonroot /app/node_modules ./node_modules # Non-root user USER nonroot:nonroot # Read-only root filesystem ENV NODE_ENV=production ENV PORT=8080 EXPOSE 8080 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD ["/nodejs/bin/node", "dist/healthcheck.js"] || exit 1 CMD ["dist/server.js"]
Image Scanning
Trivy Scan in CI/CD
# .github/workflows/security-scan.yml
name: Container Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t app:$${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'app:$${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '1' # Fail on CRITICAL/HIGH
- name: Upload to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'Docker Security Assessment
Validieren Sie Ihre Container-Konfiguration gegen CIS Benchmarks.
Security Assessment