{"id":2383,"date":"2025-08-15T18:15:11","date_gmt":"2025-08-15T18:15:11","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/08\/15\/a-practitioners-view-on-how-docker-enables-security-by-default-and-makes-developers-work-better\/"},"modified":"2025-08-15T18:15:11","modified_gmt":"2025-08-15T18:15:11","slug":"a-practitioners-view-on-how-docker-enables-security-by-default-and-makes-developers-work-better","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/08\/15\/a-practitioners-view-on-how-docker-enables-security-by-default-and-makes-developers-work-better\/","title":{"rendered":"A practitioner\u2019s view on how Docker enables security by default and makes developers work better"},"content":{"rendered":"

This blog post was written by Docker Captains, experienced professionals recognized for their expertise with Docker. It shares their firsthand, real-world experiences using Docker in their own work or within the organizations they lead. Docker Captains are technical experts and passionate community builders who drive Docker\u2019s ecosystem forward. As active contributors and advocates, they share Docker knowledge and help shape Docker products. To learn more about how to become or to contact a Docker Captain, visit <\/em>the Docker Captains\u2019 website<\/em><\/a>.<\/em><\/p>\n

Security has been a primary concern of all types of organizations around the world. This has gone through all the eras of technology. First we had mainframes, then servers, then the cloud, all of them with their public and private offerings variations. With each evolution, security concerns grew and became harder to comply with.<\/p>\n

Once we advanced into the world of distributed systems, security teams had to deal with the faster evolution of the environment. New programming languages, new libraries, new packages, new images, new everything.<\/p>\n

For security to be handled correctly, security engineers needed a strong, well designed security architecture, always guaranteeing Developer Experience<\/em><\/strong> wouldn\u2019t be impacted. And that\u2019s where Docker comes in!<\/p>\n

Container Security Basics<\/h2>\n

Container security<\/a> covers a wide range of different topics. The field is so broad that there are entire books written exclusively about this subject. But when entering an enterprise environment, we can narrow it down to a few specific topics that need to be prioritized:<\/p>\n

Artifacts<\/p>\n

Code<\/p>\n

Build file (e.g. Dockerfile) creation<\/p>\n

Vulnerability management<\/p>\n

Culture\/Processes<\/p>\n

<\/div>\n

Let\u2019s get a little more in depth with those topics.<\/p>\n

Artifacts<\/h3>\n

That\u2019s the first step to a secure environment. Having trustworthy resources available for your engineers.<\/p>\n

To reduce friction between security teams and developers, security engineers have to make secure resources available for developers, so they can just pull their images, libraries and dependencies in general, and start using it on their systems.<\/p>\n

Docker Hardened Images<\/a> (which we\u2019ll talk a couple sections into the article) can help you with that.<\/p>\n

In enterprise environments, we usually see a centralized repository for approved artifacts. This helps teams manage resources and the components used in their environments, while also helping developers know where to look when they want something.<\/p>\n

Code<\/h3>\n

Everything really starts with the code that\u2019s written. Having problematic code pushed into production might not seem bad at first but in the long run will cause you a lot of trouble.<\/p>\n

In security, every surface has to be considered. We can create the most secure build file in the world, have the most robust process for managing assets, have great IAM (Identity and Access Management) workflows, but we are exposed if our code isn\u2019t well written.<\/p>\n

Beyond relying only on the developer\u2019s expertise, we need to create guardrails to identify and mitigate problems as they are noted. This enforces a second layer of protection over all the work that\u2019s done. Having tools in place can get mistakes developers might not see at first.<\/p>\n

Having well trained developers and the right controls in the CI\/CD pipelines our code goes through allows us to rest easy at night knowing we\u2019re not sending bad code into production.<\/p>\n

A couple of controls that can be applied to the pipelines:<\/p>\n

SCA (Software Composition Analysis)<\/p>\n

SAST\/DAST\/IAST<\/p>\n

Secret Scanning<\/p>\n

Dependency Scanning<\/p>\n

Build file<\/h3>\n

In the beginning of the SDLC (Software Development Life-Cycle) our engineers have to create their build file (usually a Dockerfile<\/strong>) to download their application\u2019s dependencies and to turn it into a container.<\/p>\n

Creating a build file is easy, as it\u2019s just a sequence of steps. You download something (e.g. a Package or a Library), install it, create a folder or a file, then download the next component, install it, and so on until all the steps have been completed. But even though the default values and settings usually do the work, they don\u2019t have all the security guardrails and best practices applied by default. Because of that, you need to be careful with what\u2019s being pushed into production.<\/p>\n

While coding a build file, it\u2019s crucial to ensure:<\/p>\n

That there aren\u2019t any secrets hard coded in it;<\/p>\n

That the container is not configured to run as root \u2013 which could possibly allow an attacker to elevate their privilege and gain access to the host;\u00a0<\/p>\n

That there aren\u2019t any sensitive files copied to your container (like certificates and credentials).<\/p>\n

Taking these steps in the beginning and starting strong guarantees that the rest of the SDLC will be minimally exposed.<\/p>\n

Vulnerability management<\/h3>\n

Now, we\u2019re starting to move away from the code and from the artifacts we have engineers deliver.<\/p>\n

Vulnerabilities can be found on everything. On technologies, on processes, on everything. We need good vulnerability management to keep the engine going.<\/p>\n

Companies need to have well established processes to identify vulnerabilities on the go, fix them and when it\u2019s needed, accept them. Usually we have frameworks developed internally to understand if a risk is worth being taken or if it should be fixed before moving on.<\/p>\n

Those vulnerabilities can be new or already known. They can be in libraries used in the code, on container images used in their systems and in versions of solutions used in our environment.<\/p>\n

They are everywhere! Be sure to identify them, keep them registered and fix them when needed.<\/p>\n

Culture\/Processes<\/h3>\n

Not only technology presents a risk to enterprise security. Poorly trained engineers and bad processes also represent a real threat to a company\u2019s security structure.<\/p>\n

A flaw in a process might result in the wrong code being pushed into production. Or maybe the bad version of a container image to be used in a system.<\/p>\n

If we take into perspective how people, processes and technology are related, we might understand why a problem in the vulnerability assessment of a library might cause an entire cluster to be compromised. Or why a role that was wrongfully attributed to an user presents a serious risk to the integrity of an entire cloud environment.<\/p>\n

These are exaggerated examples, but serve to show us that in tech, everything is connected, even if we don\u2019t see it.<\/em><\/p>\n

That\u2019s why processes are so important. Solid processes mean we are focused on set outcomes instead of pleasing stakeholders. It\u2019s important to take feedback into consideration and to make adjustments as we move forward, but we need to ensure these processes are followed, even when there isn\u2019t unanimous agreement.<\/p>\n

<\/div>\n

To have successful processes established, we have to:<\/p>\n

Design guardrails<\/p>\n

Implement steps<\/p>\n

Train teams<\/p>\n

Repeat<\/p>\n

That\u2019s the only way to enable teams effectively!<\/p>\n

How Docker protects engineers and companies<\/h2>\n

Docker has been an ally of software engineers and security teams for a while now. Not only by enabling the success of distributed systems, but also by improving how developers write and containerize their applications.<\/p>\n

As the Docker platform evolved, security was taken into consideration as the number one priority, like its customers.<\/p>\n

Today, developers have access to different Docker security solutions in different parts of the platform.<\/p>\n

Docker Scout<\/h3>\n

Docker Scout<\/a> is a service created by Docker to analyze container images and its layers for known vulnerabilities. It checks against publicly known CVEs and provides the user with information regarding vulnerabilities in their images. To also help with mitigation, Docker Scout provides the user with a \u201cfixable\u201d value, declaring if that vulnerability can be fixed.\u00a0<\/p>\n

This is very useful once we enter a corporate environment because it makes it possible for the security teams to recognize the risks that image brings to the organization and allow them to decide if that amount of risk can be taken or not.<\/p>\n

We all love the CLI, but sometimes having a GUI (Graphical User Interface) might help. Docker knows what developers like, and for that reason, we have Scout on both platforms. Your developers can use it to scan their images and see a quick summary on their terminal or they can enjoy the features provided by Docker Desktop and see a complete report with links and explanations on their image\u2019s found vulnerabilities.<\/p>\n

<\/div>\n

Docker Scout terminal report<\/em><\/p>\n

<\/div>\n

Docker Scout Desktop report<\/em><\/p>\n

By providing users with those reports, they can make smarter choices when adopting different libraries and packages into their applications and can also work closely with the security teams to provide faster feedback on whether that technology is safe to use or not.<\/p>\n

Docker Hardened Images<\/h3>\n

Now focusing on providing engineers and companies with safe and recommended resources, Docker recently announced Docker Hardened Images<\/a> (DHI), a list of near-zero CVE images and optimized resources for you to start building your applications.<\/p>\n

Even though it\u2019s common in large organizations to have private container registries to store safe images and dependencies, DHI provides a safer start point for the security teams, since the resources available have been through extensive examination and auditing.<\/p>\n

<\/div>\n

Docker Hardened Images report<\/em><\/p>\n

DHI is a very helpful resource not only for enterprises but also for independent and open source software developers. Docker-backed images make the internet and the cloud safer, allowing businesses to build trustworthy and reliable platforms for their customers!<\/p>\n

From an engineer\u2019s perspective, the true value of Docker Hardened Images is the trust we have on Docker and the value that this security-ready solution brings us. Managing image security is hard if you have to do it all the way through. It\u2019s hard to keep images ready to use and the difficulty just increases when our developers are requesting newer versions every day. By using Hardened Images, we\u2019re able to provide our end users (developers and engineers) the latest versions of the most popular solutions available and offload the security team.<\/p>\n

Final Thoughts<\/h2>\n

We can approach security in a lot of different ways, the main thing is: Security CANNOT slow down engineers. We need to design our controls in a way that we\u2019re able to cover everything, fulfilling all gaps identified and still allowing developers to deliver code fast.<\/p>\n

Guarantee your engineers have the best of both worlds with Docker.<\/p>\n

Security DevEx<\/p>\n

Get in touch with the authors:<\/h3>\n

Pedro Ign\u00e1cio:<\/p>\n

Linkedin<\/a><\/p>\n

Blog<\/a><\/p>\n

Denis Rodrigues:<\/p>\n

Linkedin<\/a><\/p>\n

Blog<\/a><\/p>\n

Learn more about Docker\u2019s security solutions:<\/h3>\n

Docker Desktop<\/a><\/p>\n

Docker Scout<\/a><\/p>\n

Docker Hardened Images<\/a><\/p>","protected":false},"excerpt":{"rendered":"

This blog post was written by Docker Captains, experienced professionals recognized for their expertise with Docker. It shares their firsthand, […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2383","post","type-post","status-publish","format-standard","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2383"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2383\/revisions"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}