Ensuring Container Image Security: A Must-Have in DevSecOps

Ensuring Container Image Security: A Must-Have in DevSecOps February 11, 2026 · 8 min read · Security

Ensuring Container Image Security: A Must-Have in DevSecOps

Ensuring Container Image Security: A Must-Have in DevSecOps
Bob Reselman (Guest Author)
April 10, 2019

With the rise of new & nbsp; tech, a plethora of engineering jobs & nbsp; become uncommitted. This has opened up a number of unique and diverse career way for software examiner as easily, such as protection testing and direction. In this article, you ’ ll discover info about why focus on security is so important to the advancement and sustained usage of containers, giving & nbsp; you a glimpse into the world of security examination.

Ensuring Container Image Security: A Necessary Step in Application Testing

Containers receive introduced a new level of efficiency and power to distributed computing. Yet, the reward that containers provide can be offset well by the security risks they incur unless an enterprisingness exercise constant watchfulness.

Allow me to elaborate.

There ’ s a fundamental problem with container protection that is very similar to the one associated with any kind of binary executable: you truly don ’ t know what ’ s on the inside. Once something is compiled into a binary formatting, its internals become unintelligible. The file that you think is nothing more than a video of somebody 's cat dancing the rhumba might really behost secret codificationthat execute malicious actions to your file scheme.

The same is true of containers. You might think that you ’ ve download a container image that does nothing more than run a web site that converts .csv files to .json formatting. Yet behind the scenes, that container also has code that ’ s probing your network in hunting of passwords, credit card information and encryption keys.

These day container security is on the minds of many, especially in light of the late news thatRunC, the container runtime for Docker, Kubernetes and other container orchestration technologies, has a potentiallyruinous protection vulnerabilitythat allows a bad actor container to overwrite RunC in order to get root-level access to the host. Once a container has root-level approach, it ’ s effectively in control of the system.

As much as containers are a boon to the mod endeavour, they are also a potential hazard. Protective amount need to be taken. Thus, it ’ s critical that company feature processes in place that safeguard against bad containers getting into the initiative. Part of that safeguard is to receive examine practices that control that the container that are being deployed anywhere in the enterprise, from development to production, are untroubled. Ensuring container security is an arduous undertaking. It comprehend how container are made, how they are deployed and, once deploy, how they are monitored. Each step in the process is worthy of an article of considerable length. But, we need to depart somewhere. So for this article, let ’ s take a look at the first step in the process: make secure container images.

Creating Secure Container Images

A container image is the templet from which a container is make and run. You can think of a container as an instance of a container image, very much in the same way thatan object is an instance of a classin object-oriented programming. A container image is created by running the Docker command:


docker habitus

for example

docker build -t pinger: v1.

WHERE

dockeris the command

buildis the subcommand

-tindicates the name of the container image and optional tag name

pinger:v1is the gens of the container picture to build according to the defined Dockerfile

.indicates using the Dockerfile local to the build bid


When docker build is invoked, Docker looks for a file named, Dockerfile, which typically is at the location in the file system where the build command is arouse when show by the dot in the build example shown above. docker build uses the info in the Dockerfile to construct the container picture.

SUSA automates exploratory testing with persona-driven behavior, catching bugs that scripted automation misses.

Creating a secure container can be a challenge due to the nature of container construction itself. Take a expression at Listing 1 below. It ’ s the Dockerfile for a mere NodeJS web applicationI made.

FROM node:8.15-alpine

EXPOSE 3000

COPY server.js.

CMD node server.js

Listing 1: A Dockerfile for creating a simple NodeJS web application

The Dockerfile tells Docker to do 4 things to construct the container ikon. (1) Download a base container persona, node:8.0-alpine from the DockerHub repository. This base image has the workable and operating system library necessary to run NodeJs. (2) Open port 3000 on the container in order to allow users to access the web application. (3) Copy the fileserver.jsfrom my local filesystem into the container image.server.jsis the file that contains the coating behavior the node will run. And, finally (4) invoke Node JS to run the file.

That ’ s all there is to it. Now, in terms of make a protection audit, things are pretty straight frontwards. All of the application logic resides in server.js, which is a textbook file. It ’ s just a matter of running some software that perform a protection assay against my local file system. No biggie, flop?Wrong!

The issue is not the file server.js. The issue is the base container image, node:8.15-alpine. Let me explain.

The way Docker work is that one container image can use another container persona (s) as a base. Then, once the base image (s) is defined, the container ikon under construction will build upon the foot image (s).

This architecture is very effective in that it allows developers to leverage survive work. For example, when I desire to create a Node application as a Docker image, all I need is to specify a pre survive Node JS container and add my coating codification, as you can see in the Dockerfile shown above in Listing 1. I don ’ t have to get all the dependencies that NodeJS need. The base NodeJS container icon lead care of all that.

However, establish an application into a container image that uses a pre existing base image make a security problem. Unless sure precautions are guide, we receive no way of knowing what ’ s in that base container image. Remember, the base container icon comes from DockerHub, which is a third-party repository external to the enterprise. We can desire it ’ s a good actor, but how do we know for sure?

One thing we can do is to go out to DockerHub and take a look atthe actual depositoryfor node:8.15-alpine. Thedocumentationfor the image is comprehensive. In fact, the documentation even has a link to the Dockerfile for the image out onGitHub. So, we should be safe, right? Well…maybe. Take a look at Listing 2 below, which is the first line of the Dockerfile for node:8.15-alpine.

FROM alpine:3.8

Listing 2: A snippet of the Dockerfile fornode:8.15-alpine.

Notice anything interesting? Hopefully, you said, “ Hey look, we have one container image using another container picture, which turn apply yet another container ikon. Where make it end? ”

The reality is that any Docker image is but the last link in a concatenation of former Docker images. That chain might be very, very long. So the head is, afford that any container image might be and most probably is made up of many other Docker images, how do we ensure the protection of that image?

And that, my friend, is the question.

The first thing to do at the enterprise level is to make sure that there is a central authority that builds container images and that all container images are stored on a common secure repository. This means that while developers can and should create container images for their local work, they should never be the authority to deploy an image. Rather developers involve to deploy their Dockerfiles only and let certified personnel do security test against the given Dockerfile, as well as the container images and containers that are the product of the Dockerfile.

Qualified security force will not only test and build container images and ceaselessly verify that the container that are running in production are not malicious, but they will also deploy well-tested container images to repositories that are properly secured. Such repositories might be hosted by a third party that provides protection certificate such asDockerHub or Google Container Registryin conjunction withGoogle Container Analysis, or the container images might be host privately on premiss and subject to inspection apply well-respectedanalysis tools.

This brings us to container build policy. Controlling container build events and applying testing and creature to ensure container protection are good and useful practices. But, the implementation of such exercise needs to be part of an overall container build and prove protection insurance. The depth and breadth of such a insurance will diverge according to the companionship and inherent endangerment. Some fellowship might allow using base images that are deemed safe and “ official ” by well-known repository hosts such as DockerHub. Other society might be more stringent and require that all container images be built from scratch and store in private depository on-premises, under tight entree control. It ’ s a matter of risk and impact. But, regardless of the degree of scrutiny exert, the most important thing to understand is that control security at the container picture level is crucial and that an adequate container image security testing policy must be release. Also, the procedures to secure compliance with the policy must be in force.

Avoid the Risks at Your Own Peril

Back in May of 2018, the security publication,CSO reportedthat according toDoug Cahillat Enterprise Strategy Group, simply 34 % of those question said that they “ ask to control that container images stored in container registries see their organization ’ s security and compliance requirements. ” That ’ s right, only 34 %! Yet, in that likereport, 74 % say that they use or plan to use containers for new and some pre-existing application. According to these figure, more containers are indeed coming online by an order of magnitude. Sadly, nowhere near as much tending is being planned to be give to the security needs around those container. The risk are apparent and they are important.

As containers proceed to proliferate the IT landscape, adoption will take two paths -- there will be companies that will receive the wiseness to put container security at the forefront of adoption and there are those that won ’ t. Those that won ’ t will be doing so at great danger. Those on the wise path will do well to do security testing container picture an important activity in the pursuit of comprehensive container security.

Quality Engineering Resources

Automate This With SUSA

Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts needed.

Try SUSA Free

Test Your App Autonomously

Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts.

Try SUSA Free