Docker Security: A Practical Guide
A comprehensive, hands-on guide to Docker security best practices with real-world examples and lab exercises.
π― What You'll Learn
This guide takes you from basic Docker security concepts to advanced hardening techniques through practical, reproducible lab exercises. Each lab builds on previous knowledge while remaining self-contained.
Core Topics Covered
- Security Auditing: Using Docker Bench Security for CIS compliance
- Secure Images: Building hardened, minimal container images
- Least Privilege: Implementing proper access controls
- Image Signing: Verifying container authenticity
- Network Security: Isolating and securing container communications
- AI/ML Security: Protecting machine learning workloads
- Supply Chain Security: SBOM generation and vulnerability scanning
- Network Architecture: Multi-tier segmentation and encryption
π Lab Structure
Level 1: Fundamentals (Labs 01-06)
Foundation labs covering essential Docker security concepts.
Lab 01: Security Auditing with Docker Bench
What You'll Learn:
- Run comprehensive security audits using Docker Bench Security
- Understand CIS Docker Benchmark compliance checks
- Identify common security misconfigurations
- Fix vulnerable container configurations
Key Concepts:
- Privileged container detection
- Network namespace isolation
- Capability management
- Security profile enforcement
Time: 30-45 minutes
Lab 02: Secure Container Configurations
What You'll Learn:
- Compare insecure vs secure container configurations
- Understand and apply Linux capabilities
- Implement read-only filesystems
- Use tmpfs for required write operations
- Apply security options like no-new-privileges
Key Concepts:
- Linux capability system
- Read-only root filesystems
- Capability dropping (drop all, add specific)
- tmpfs mounts with noexec and nosuid
- Container hardening without breaking functionality
Time: 45-60 minutes
Lab 03: Least Privilege Containers
What You'll Learn:
- Run containers as non-root users
- Drop unnecessary Linux capabilities
- Implement read-only filesystems
- Configure security contexts
Key Concepts:
- User namespace remapping
- Capability dropping
- Resource constraints
- Security policies
Time: 30-45 minutes
Lab 04: Image Signing and Verification
What You'll Learn:
- Sign container images with Cosign
- Verify image signatures before deployment
- Implement Docker Content Trust
- Enforce signing policies
- Manage signing keys securely
Key Concepts:
- Digital signatures and cryptographic verification
- Cosign and Sigstore project
- Docker Content Trust (DCT)
- Keyless signing with OIDC
- Supply chain attack prevention
- Policy enforcement for signed images
Time: 45-60 minutes
Lab 05: Network Security Basics
What You'll Learn:
- Configure secure Docker networks
- Implement network policies
- Use service mesh patterns
- Secure inter-container communication
Key Concepts:
- Custom bridge networks
- Network segmentation
- Encrypted communication
- Traffic control
Time: 30-45 minutes
Lab 06: AI Model Security
What You'll Learn:
- Secure containerized machine learning workloads
- Set appropriate resource limits for ML containers
- Implement input validation and rate limiting
- Protect model intellectual property
- Monitor ML container behavior
- Deploy ML models securely in production
Key Concepts:
- Resource management for ML workloads
- Model extraction and adversarial attacks
- API authentication and authorization
- Input validation for ML endpoints
- Model encryption and access control
- Monitoring and anomaly detection for ML services
Time: 60-90 minutes
Level 2: Advanced Security (Labs 07-08)
Advanced labs covering supply chain security and comprehensive network security.
Lab 07: Supply Chain Security with SBOM
What You'll Learn:
- Generate Software Bill of Materials (SBOM) using Syft
- Scan SBOMs for vulnerabilities with Grype
- Compare SBOM versions to track changes
- Integrate SBOM generation into CI/CD pipelines
- Meet compliance requirements (Executive Order 14028)
Key Concepts:
- SBOM formats (SPDX, CycloneDX, Syft JSON)
- Supply chain transparency
- Vulnerability management
- Dependency tracking
- CVE detection and remediation
- CI/CD security automation
Key Tools:
- Syft: SBOM generation
- Grype: Vulnerability scanning
- Azure DevOps and GitHub Actions: CI/CD integration
Time: 45-60 minutes
Why This Matters:
- Required for US federal software (EO 14028)
- Enables rapid response to vulnerabilities (e.g., Log4Shell)
- Provides complete software inventory
- Supports compliance audits (PCI DSS, SOC 2)
Lab 08: Docker Network Security (5 Scenarios)
What You'll Learn:
- Implement network isolation between containers
- Design multi-tier segmented architectures
- Use internal networks for complete database isolation
- Configure TLS encryption for container-to-container communication
- Identify and fix 8 common network misconfigurations
5 Interactive Scenarios:
Scenario 1: Network Isolation (3-4 minutes)
- Create isolated networks with DNS resolution
- Implement gateway containers spanning multiple networks
- Understand network boundaries
Scenario 2: Multi-Tier Segmentation (4-5 minutes)
- Design 3-tier architecture (web/app/database)
- Force traffic through monitored gateways
- Prevent direct web-to-database access
Scenario 3: Internal Networks (3-4 minutes)
- Use internal networks with no external gateway
- Achieve complete database isolation
- Meet PCI DSS and HIPAA requirements
Scenario 4: TLS Encryption (4-5 minutes)
- Generate self-signed certificates
- Configure nginx with TLS
- Implement encrypted container communication
- Understand TLS performance implications
Scenario 5: Common Misconfigurations (3-4 minutes)
- Learn 8 common network security mistakes:
- Using default bridge network (no DNS)
- Using
--network host(bypasses security) - Exposing unnecessary ports (databases)
- No resource limits (DoS risk)
- Running as root
- Using
--privilegedmode - Flat network architecture
- No health checks
Key Concepts:
- Defense in depth
- Network segmentation
- Zero-trust architecture
- TLS/mTLS implementation
- Resource management
- Security misconfiguration prevention
Time: 18-22 minutes (all scenarios) or 3-5 minutes each
Why This Matters:
- Prevents lateral movement during breaches
- Meets compliance requirements
- Protects sensitive data in transit
- Enables zero-trust architectures
- Real-world production patterns
Level 3: Red Team / Offensive Security (Lab 09)
Hands-on container escape scenarios β understanding how attackers break out of containers.
Lab 09: Docker Runtime Escape (5 Scenarios)
What You'll Learn:
- Execute 5 real container escape techniques in a controlled environment
- Understand why blocking docker.sock alone is not sufficient
- Implement runtime detection with Falco and admission control with Kyverno
- Audit containers for dangerous configurations that standard scans miss
5 Escape Scenarios:
Scenario 1: Docker Socket Escape (25 min)
- Mount docker.sock β install Docker CLI β create privileged container β mount host / β chroot to host root
- The most common escape in production (Jenkins, Portainer, DinD, Watchtower)
Scenario 2: Privileged Container Escape (15 min)
- 5 demonstrations: capability comparison, host filesystem via block device, network namespace escape, cgroup release_agent (Felix Wilhelm technique), detection
--privilegeddisables every security boundary simultaneously
Scenario 3: CAP_SYS_ADMIN Abuse (20 min)
- Single capability that enables 30+ system operations including mount and namespace manipulation
- Passes standard security audits (
Privileged: false) while providing near-privileged access
Scenario 4: Host Path Mount Abuse (15 min)
/etcbind mount reads credentials directly; docker.sock escalation chain (two containers cooperating)- Risk-classified audit: CRITICAL (docker.sock), HIGH (/etc), MEDIUM (system paths)
Scenario 5: /proc and /sys Exposure (15 min)
- Reconnaissance: kernel version β CVE targeting, network data β lateral movement, process list β service discovery
- Read-only mounts prevent writes but not information disclosure
Key Concepts:
- Container isolation boundaries and how each is broken
- The audit gap: what scanners check vs what attackers exploit
- Defense-in-depth: Falco rules, Kyverno admission policies, audit scripts
- Docker Desktop vs Linux host behavioral differences
Defense Artifacts Generated:
- Falco runtime detection rules (Scenarios 3, 4, 5)
- Kyverno admission policies (Scenarios 4, 5)
- Audit scripts with risk classification (Scenarios 2, 3, 4, 5)
Time: 2-2.5 hours (all scenarios) or 15-25 minutes each
Why This Matters:
- Blocking docker.sock and --privileged is necessary but not sufficient
- CAP_SYS_ADMIN, host mounts, and /proc are the blind spots attackers use next
- Runtime detection rules generated here are production-ready
π Getting Started
Prerequisites
- Docker Engine 20.10+
- Docker Compose 2.0+
- Linux, macOS, or Windows with WSL2
- Basic Docker knowledge
- Terminal/command line familiarity
Quick Start
Clone the repository:
git clone https://github.com/opscart/docker-security-practical-guide.git cd docker-security-practical-guideStart with Lab 01:
cd labs/01-docker-bench-security ./run-audit.shFollow along with the README in each lab directory
π How to Use This Guide
For Beginners
- Start with Lab 01 to understand security auditing
- Progress sequentially through Level 1 (Labs 01-06)
- Complete all exercises before moving forward
- Review the "Common Issues" sections
- Move to Level 2 (Labs 07-08) for advanced topics
For Experienced Users
- Jump to specific labs based on your needs
- Use as a reference for security patterns
- Adapt examples to your use cases
- Focus on Level 2 labs for advanced techniques
- Contribute improvements via pull requests
For Security Auditors
- Use Lab 01 for baseline security assessments
- Reference CIS Benchmark mappings
- Lab 07 for supply chain compliance
- Lab 08 for network architecture reviews
- Adapt checklists for your compliance needs
- Document findings using provided templates
For DevOps/Platform Engineers
- Lab 07 for CI/CD security integration
- Lab 08 for production network architecture
- Use automation scripts in your pipelines
- Implement security best practices from all labs
π§ Lab Setup
Each lab is self-contained and includes:
README.md: Comprehensive guide with theory and practicedocker-compose.yml: Ready-to-run configurations- Scripts: Automation for common tasks
- Examples: Both vulnerable and secure configurations
- CI/CD configs: Azure DevOps and GitHub Actions (Labs 07-08)
Running a Lab
# Navigate to lab directory
cd labs/XX-lab-name
# Review the README
cat README.md
# Run the lab exercise
./run-demo.sh # or specific lab script
# Clean up
./cleanup.sh
π Learning Path
Level 1: Fundamentals
Lab 01: Security Auditing (CIS Benchmark)
β
Lab 02: Secure Configurations (Capabilities, Read-only FS)
β
Lab 03: Least Privilege (Non-root, Resource Limits)
β
Lab 04: Image Signing (Cosign, Content Trust)
β
Lab 05: Network Security Basics (Custom Networks)
β
Lab 06: AI/ML Security (Model Protection)
Level 2: Advanced
Lab 07: Supply Chain Security
(SBOM, Vulnerability Scanning)
β
Lab 08: Network Security
(5 Scenarios: Isolation to Encryption)
Level 3: Red Team
Lab 09: Runtime Escape
(5 Scenarios: Socket to /proc)
Estimated Time:
- Level 1 (Labs 01-06): 4-6 hours
- Level 2 (Labs 07-08): 2-3 hours
- Level 3 (Lab 09): 2-2.5 hours
- Complete guide: 8-11.5 hours
- With practice exercises: 12-17 hours
π οΈ Tools & Technologies
Security Tools Used
Level 1:
- Docker Bench Security: CIS compliance auditing
- Trivy: Vulnerability scanning
- Cosign: Container signing
- Anchore: Image analysis
- Notary: Content trust
Level 2:
- Syft: SBOM generation (Lab 07)
- Grype: Vulnerability scanning (Lab 07)
- OpenSSL: Certificate generation (Lab 08)
- nginx: TLS configuration (Lab 08)
Technologies Covered
- Docker Engine & Docker Compose
- Linux Security Modules (AppArmor, SELinux)
- Seccomp profiles
- User namespaces
- Capability systems
- Docker networking (bridge, internal, overlay)
- TLS/mTLS encryption
- CI/CD integration (Azure DevOps, GitHub Actions)
π Best Practices Summary
Image Security
- Use minimal base images (alpine, distroless)
- Scan for vulnerabilities regularly
- Generate and maintain SBOMs (Lab 07)
- Sign and verify images (Lab 04)
- Use specific tags, never
latest - Implement multi-stage builds
Runtime Security
- Run as non-root user (Lab 03)
- Drop unnecessary capabilities (Lab 02)
- Use read-only filesystems (Lab 02)
- Enable security profiles
- Set resource limits (Lab 08)
- Implement health checks (Lab 08)
Network Security
- Use custom bridge networks (Lab 08)
- Implement multi-tier segmentation (Lab 08)
- Use internal networks for databases (Lab 08)
- Avoid host network mode (Lab 08)
- Encrypt traffic with TLS (Lab 08)
- Control ingress/egress
Supply Chain Security (Lab 07)
- Generate SBOMs for all images
- Scan regularly for vulnerabilities
- Track dependency changes
- Automate in CI/CD pipelines
- Meet compliance requirements
- Respond quickly to CVEs
Secrets Management
- Never hardcode credentials
- Use Docker secrets or external vaults
- Rotate secrets regularly
- Limit secret access scope
- Audit secret usage
Operational Security
- Regular security audits (Lab 01)
- Keep Docker updated
- Monitor container behavior
- Log security events
- Incident response plan
- Track SBOM and vulnerability changes (Lab 07)
ποΈ Architecture Patterns
Multi-Tier Segmentation (Lab 08)
ββββββββββββββββ ββββββββββββββββ βββββββββββββββββββ
β Public Net β β App Net β β Database Net β
β β β β β (INTERNAL) β
β [Web] ββββββββΊβ [App] ββββββββΊβ [DB] β
β :8443 β TLS β β β No Gateway β
ββββββββββββββββ ββββββββββββββββ βββββββββββββββββββ
β²
β
Internet
Supply Chain Security (Lab 07)
[Container] β [Syft] β [SBOM] β [Grype] β [Security Report]
β
[SPDX/CycloneDX/JSON]
β
[CVE Database]
β
[Critical/High/Medium/Low]
π€ Contributing
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Add your improvements
- Test thoroughly
- Submit a pull request
Contribution Ideas
- Additional lab exercises
- Security tool integrations
- Cloud platform examples (AWS, Azure, GCP)
- Kubernetes security labs
- Advanced threat scenarios
- Additional SBOM formats
- More network security patterns
π Additional Resources
Official Documentation
- Docker Security
- CIS Docker Benchmark
- Docker Bench Security
- Syft (SBOM Generation)
- Grype (Vulnerability Scanning)
Security Standards
- NIST Container Security
- OWASP Docker Top 10
- CIS Controls
- Executive Order 14028 - SBOM Requirements
SBOM Resources (Lab 07)
Network Security Resources (Lab 08)
Community Resources
π Troubleshooting
Common Issues
Issue: Permission denied running scripts
chmod +x script-name.sh
Issue: Docker daemon not running
sudo systemctl start docker
Issue: Port already in use
docker ps # Check running containers
docker-compose down # Stop services
lsof -i :PORT # Find process using port
Issue: Image pull failures
docker login # Authenticate if needed
docker pull image-name # Manual pull to test
Issue: Syft/Grype not found (Lab 07)
# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# Install Grype
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
Issue: Certificate generation fails (Lab 08)
# Ensure OpenSSL is installed
openssl version
# Check certificate generation script
cd labs/08-network-security/certs
chmod +x generate-certs.sh
./generate-certs.sh
Issue: Network already exists (Lab 08)
# Clean up all networks
cd labs/08-network-security
./cleanup.sh
π Lab Completion Status
Track your progress:
- [ ] Lab 01: Security Auditing β±οΈ 30-45 min
- [ ] Lab 02: Secure Configurations β±οΈ 45-60 min
- [ ] Lab 03: Least Privilege β±οΈ 30-45 min
- [ ] Lab 04: Image Signing β±οΈ 45-60 min
- [ ] Lab 05: Network Security Basics β±οΈ 30-45 min
- [ ] Lab 06: AI/ML Security β±οΈ 60-90 min
- [ ] Lab 07: Supply Chain Security (SBOM) β±οΈ 45-60 min
- [ ] Lab 08: Network Security (5 Scenarios) β±οΈ 18-22 min
- [ ] Lab 09: Runtime Escape (5 Scenarios) β±οΈ 2-2.5 hrs
Total Time: 8-11.5 hours
π License
MIT License - see LICENSE file for details
β¨ Acknowledgments
- Docker team for security tools and documentation
- CIS for the Docker Benchmark
- OWASP for security guidelines
- Anchore team for Syft and Grype (Lab 07)
- Sigstore project for Cosign (Lab 04)
- Open source security community
- CNCF for cloud native security standards
π§ Contact & Support
- Author: Shamsher Khan
- GitHub: @opscart
- Blog: @OpsCart
- Issues: Report issues
- Discussions: GitHub Discussions
Professional Background
- Senior DevOps Engineer
- IEEE Senior Member
- 15+ years IT experience
- 10+ years Cloud & DevOps specialization
- Published author on DZone and technical publications
π Star This Repository!
If you find this guide helpful:
- β Star the repository
- π Fork for your own learning
- π’ Share with your team
- π¬ Provide feedback
- π€ Contribute improvements
π What's Next?
Upcoming Labs (Planned)
- Lab 10: Runtime Security with Falco
- Lab 11: Kubernetes Security Fundamentals
- Lab 12: Container Registry Security
- Lab 13: Secrets Management with HashiCorp Vault
Stay Updated
- Watch this repository for updates
- Follow @opscart on GitHub
- Join discussions in the Issues tab
π― From fundamentals to advanced patterns, this guide has everything you need to secure your Docker deployments in production.
β If you find this guide helpful, please star the repository!
π Remember: Security is a journey, not a destination. Keep learning, keep improving!
Log in or sign up for Devpost to join the conversation.