{"id":2428,"date":"2025-08-28T13:18:33","date_gmt":"2025-08-28T13:18:33","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/08\/28\/secure-by-design-a-shift-left-approach-with-testcontainers-docker-scout-and-hardened-images\/"},"modified":"2025-08-28T13:18:33","modified_gmt":"2025-08-28T13:18:33","slug":"secure-by-design-a-shift-left-approach-with-testcontainers-docker-scout-and-hardened-images","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/08\/28\/secure-by-design-a-shift-left-approach-with-testcontainers-docker-scout-and-hardened-images\/","title":{"rendered":"Secure by Design: A Shift-Left Approach with Testcontainers, Docker Scout, and Hardened Images"},"content":{"rendered":"

In today\u2019s fast-paced world of software development, product teams are expected to move quickly: building features, shipping updates, and reacting to user needs in real-time. But moving fast should never mean compromising on quality or security.<\/p>\n

Thanks to modern tooling, developers can now maintain high standards while accelerating delivery. In a previous article, we explored how Testcontainers supports shift-left testing<\/a> by enabling fast and reliable integration tests within the inner dev loop. In this post, we\u2019ll look at the security side of this shift-left approach and how Docker can help move security earlier in the development lifecycle, using practical examples.<\/p>\n\n

A Shift-Left Approach: Testing a Movie Catalog API<\/h2>\n

We\u2019ll use a simple demo project<\/a> to walk through our workflow. This is a Node.js + TypeScript API backed by PostgreSQL and tested with Testcontainers.<\/p>\n

Movie API Endpoints:<\/p>\n

\n

Method<\/p>\n

Endpoint<\/p>\n

Description<\/p>\n\n

POST<\/p>\n

\/movies<\/p>\n

Add a new movie to the catalog<\/p>\n\n

GET<\/p>\n

\/movies<\/p>\n

Retrieve all movies, sorted by title<\/p>\n\n

GET<\/p>\n

\/movies\/search?q=\u2026<\/p>\n

Search movies by title or description (fuzzy match)<\/p>\n\n<\/div>\n

Before deploying this app to production, we want to make sure it functions correctly and is free from critical vulnerabilities.<\/p>\n

Shift-Left Testing with Testcontainers: Recap<\/h2>\n

We verify the application against a real PostgreSQL instance by using Testcontainers<\/a> to spin up containers for both the database and the application. A key advantage of Testcontainers is that it creates these containers dynamically during test execution. Another feature of the Testcontainers libraries is the ability to start containers directly from a Dockerfile. This allows us to run the containerized application along with any required services, such as databases, effectively reproducing the local environment needed to test the application at the API or end-to-end (E2E) level. This approach provides an additional layer of quality assurance and brings even more testing into the inner development loop.<\/p>\n

For a more detailed explanation of how Testcontainers enables a shift-left testing approach into the developer inner loop, refer to the introductory blog post<\/a>.<\/p>\n

Here\u2019s a beforeAll setup that prepares our test environment, including PostgreSQL and the application under development, started from the Dockerfile :<\/p>\n

\nbeforeAll(async () => {
\n const network = await new Network().start();
\n \/\/ 1. Start Postgres
\n db = await new PostgreSqlContainer(“postgres:17.4”)
\n .withNetwork(network)
\n .withNetworkAliases(“postgres”)
\n .withDatabase(“catalog”)
\n .withUsername(“postgres”)
\n .withPassword(“postgres”)
\n .withCopyFilesToContainer([
\n {
\n source: path.join(__dirname, “..\/dev\/db\/1-create-schema.sql”),
\n target: “\/docker-entrypoint-initdb.d\/1-create-schema.sql”
\n },
\n ])
\n .start();
\n \/\/ 2. Build movie catalog API container from the Dockerfile
\n const container = await GenericContainer
\n .fromDockerfile(“..\/movie-catalog”)
\n .withTarget(“final”)
\n .withBuildkit()
\n .build();
\n \/\/ 3. Start movie catalog API container with environment variables for DB connection
\n app = await container
\n .withNetwork(network)
\n .withExposedPorts(3000)
\n .withEnvironment({
\n PGHOST: “postgres”,
\n PGPORT: “5432”,
\n PGDATABASE: “catalog”,
\n PGUSER: “postgres”,
\n PGPASSWORD: “postgres”,
\n })
\n .withWaitStrategy(Wait.forListeningPorts())
\n .start();
\n }, 120000);\n<\/div>\n

We can now test the movie catalog API:<\/p>\n

\nit(“should create and retrieve a movie”, async () => {
\n const baseUrl = `http:\/\/${app.getHost()}:${app.getMappedPort(3000)}`;
\n const payload = {
\n title: “Interstellar”,
\n director: “Christopher Nolan”,
\n genres: [“sci-fi”],
\n releaseYear: 2014,
\n description: “Space and time exploration”
\n };\n

const response = await axios.post(`${baseUrl}\/movies`, payload);
\n expect(response.status).toBe(201);
\n expect(response.data.title).toBe(“Interstellar”);
\n }, 120000);\n<\/p><\/div>\n

This approach allows us to validate that:<\/p>\n

The application is properly containerized and starts successfully.<\/p>\n

The API behaves correctly in a containerized environment with a real database.<\/p>\n

However, that\u2019s just one part of the quality story. Now, let\u2019s turn our attention to the security aspects of the application under development.<\/p>\n\n

Introducing Docker Scout and Docker Hardened Images\u00a0<\/h2>\n

To follow modern best practices, we want to containerize the app<\/a> and eventually deploy it to production. Before doing so, we must ensure the image is secure by using Docker Scout<\/a>.<\/p>\n

Our Dockerfile takes a multi-stage build approach and is based on the node:22-slim image.<\/p>\n

\n###########################################################
\n# Stage: base
\n# This stage serves as the base for all of the other stages.
\n# By using this stage, it provides a consistent base for both
\n# the dev and prod versions of the image.
\n###########################################################
\nFROM node:22-slim AS base
\nWORKDIR \/usr\/local\/app
\nRUN useradd -m appuser && chown -R appuser \/usr\/local\/app
\nUSER appuser
\nCOPY –chown=appuser:appuser package.json package-lock.json .\/\n

###########################################################
\n# Stage: dev
\n# This stage is used to run the application in a development
\n# environment. It installs all app dependencies and will
\n# start the app in a dev mode that will watch for file changes
\n# and automatically restart the app.
\n###########################################################
\nFROM base AS dev
\nENV NODE_ENV=development
\nRUN npm ci –ignore-scripts
\nCOPY –chown=appuser:appuser .\/src .\/src
\nEXPOSE 3000
\nCMD [“npx”, “nodemon”, “src\/app.js”]<\/p>\n

###########################################################
\n# Stage: final
\n# This stage serves as the final image for production. It
\n# installs only the production dependencies.
\n###########################################################
\n# Deps: install only prod deps
\nFROM base AS prod-deps
\nENV NODE_ENV=production
\nRUN npm ci –production –ignore-scripts && npm cache clean –force
\n# Final: clean prod image
\nFROM base AS final
\nWORKDIR \/usr\/local\/app
\nCOPY –from=prod-deps \/usr\/local\/app\/node_modules .\/node_modules
\nCOPY .\/src .\/src
\nEXPOSE 3000
\nCMD [ “node”, “src\/app.js” ]\n<\/p><\/div>\n

Let\u2019s build our image with SBOM and provenance metadata. First, make sure that the containerd image store is enabled in Docker Desktop<\/a>. We\u2019ll also use the buildx command ( a Docker CLI plugin that extends the docker build) with the \u2013provenance=true \u00a0and \u2013sbom=true flags. These options attach build attestations<\/a> to the image, which Docker Scout uses to provide more detailed and accurate security analysis.<\/p>\n

\ndocker buildx build –provenance=true –sbom=true -t movie-catalog-service:v1 .\n<\/div>\n

Then set up a Docker organization with security policies and scan the image with Docker Scout:\u00a0<\/p>\n

\ndocker scout config organization demonstrationorg
\ndocker scout quickview movie-catalog-service:v1\n<\/div>\n
<\/div>\n

Figure 1: Docker Scout cli quickview output for node:22 based movie-catalog-service image<\/em><\/p>\n

Docker Scout also offers a visual analysis via Docker Desktop.<\/p>\n

<\/div>\n

Figure 2: Image layers and CVEs view in Docker Desktop for node:22 based movie-catalog-service image<\/em><\/p>\n

In this example, no vulnerabilities were found in the application layer. However, several CVEs were introduced by the base node:22-slim image, including a high-severity CVE-2025-6020, a vulnerability present in Debian 12. This means that any Node.js image based on Debian 12 inherits this vulnerability. A common way to address this is by switching to an Alpine-based Node image, which does not include this CVE. However, Alpine uses musl libc instead of glibc, which can lead to compatibility issues depending on your application\u2019s runtime requirements and deployment environment.<\/p>\n

So, what\u2019s a more secure and compatible alternative?<\/p>\n

That\u2019s where Docker Hardened Images (DHI)<\/a> come in. These images follow a distroless philosophy, removing unnecessary components to significantly reduce the attack surface. The result? Smaller images that pull faster, run leaner, and provide a secure-by-default foundation for production workloads:<\/p>\n

Near-zero exploitable CVEs: Continuously updated, vulnerability-scanned, and published with signed attestations to minimize patch fatigue and eliminate false positives.<\/p>\n

Seamless migration: Drop-in replacements for popular base images, with -dev variants available for multi-stage builds.<\/p>\n

Up to 95% smaller attack surface: Unlike traditional base images that include full OS stacks with shells and package managers, distroless images retain only the essentials needed to run your app.<\/p>\n

Built-in supply chain security: Each image includes signed SBOMs, VEX documents, and SLSA provenance for audit-ready pipelines.<\/p>\n

For developers, DHI means fewer CVE-related disruptions, faster CI\/CD pipelines, and trusted images you can use with confidence.<\/p>\n

Making the Switch to Docker Hardened Images<\/h2>\n

Switching to a Docker Hardened Image is straightforward. All we need to do is replace the base image node:22-slim with a DHI equivalent.<\/p>\n

Docker Hardened Images come in two variants:<\/p>\n

Dev variant (demonstrationorg\/dhi-node:22-dev) \u2013 includes a shell and package managers, making it suitable for building and testing.<\/p>\n

Runtime variant (demonstrationorg\/dhi-node:22) \u2013 stripped down to only the essentials, providing a minimal and secure footprint for production.<\/p>\n

This makes them perfect for use in multi-stage Dockerfiles. We can build the app in the dev image, then copy the built application into the runtime image, which will serve as the base for production.<\/p>\n

Here\u2019s what the updated Dockerfile would look like:<\/p>\n

\n###########################################################
\n# Stage: base
\n# This stage serves as the base for all of the other stages.
\n# By using this stage, it provides a consistent base for both
\n# the dev and prod versions of the image.
\n###########################################################
\n# Changed node:22 to dhi-node:22-dev
\nFROM demonstrationorg\/dhi-node:22-dev AS base
\nWORKDIR \/usr\/local\/app
\n# DHI comes with nonroot user built-in.
\nCOPY –chown=nonroot package.json package-lock.json .\/\n

###########################################################
\n# Stage: dev
\n# This stage is used to run the application in a development
\n# environment. It installs all app dependencies and will
\n# start the app in a dev mode that will watch for file changes
\n# and automatically restart the app.
\n###########################################################
\nFROM base AS dev
\nENV NODE_ENV=development
\nRUN npm ci –ignore-scripts
\n# DHI comes with nonroot user built-in.
\nCOPY –chown=nonroot .\/src .\/src
\nEXPOSE 3000
\nCMD [“npx”, “nodemon”, “src\/app.js”]<\/p>\n

###########################################################
\n# Stage: final
\n# This stage serves as the final image for production. It
\n# installs only the production dependencies.
\n###########################################################
\n# Deps: install only prod deps
\nFROM base AS prod-deps
\nENV NODE_ENV=production
\nRUN npm ci –production –ignore-scripts && npm cache clean –force
\n# Final: clean prod image
\n# Changed base to dhi-node:22
\nFROM demonstrationorg\/dhi-node:22 AS final
\nWORKDIR \/usr\/local\/app
\nCOPY –from=prod-deps \/usr\/local\/app\/node_modules .\/node_modules
\nCOPY .\/src .\/src
\nEXPOSE 3000
\nCMD [ “node”, “src\/app.js” ]\n<\/p><\/div>\n

Let\u2019s rebuild and scan the new image:<\/p>\n

\ndocker buildx build –provenance=true –sbom=true -t movie-catalog-service-dhi:v1 .
\ndocker scout quickview movie-catalog-service-dhi:v1\n<\/div>\n
<\/div>\n

Figure 3: Docker Scout cli quickview output for dhi-node:22 based movie-catalog-service image<\/em><\/p>\n\n

As you can see, all critical and high CVEs are gone, thanks to the clean and minimal footprint of the Docker Hardened Image.<\/p>\n

One of the key benefits of using DHI is the security SLA it provides. If a new CVE is discovered, the DHI team commits to resolving:<\/p>\n

Critical and high vulnerabilities within 7 days of a patch becoming available,<\/p>\n

Medium and low vulnerabilities within 30 days.<\/p>\n

This means you can significantly reduce your CVE remediation burden and give developers more time to focus on innovation and feature development instead of chasing vulnerabilities.<\/p>\n

Comparing images with Docker Scout<\/h2>\n

Let\u2019s also look at the image size and package count advantages of using distroless Hardened Images.<\/p>\n

Docker Scout offers a helpful command docker scout compare , that allows you to analyze and compare two images. We\u2019ll use it to evaluate the difference in size and package footprint between node:22-slim and dhi-node:22 based images.<\/p>\n

\ndocker scout compare local:\/\/movie-catalog-service:v1 –to local:\/\/movie-catalog-service-dhi:v1\n<\/div>\n
<\/div>\n

Figure 4: Comparison of the node:22 and dhi-node:22 based movie-catalog-service images<\/em><\/p>\n\n

As you can see, the original node:22-slim based image was 80 MB in size and included 427 packages, while the dhi-node:22 based image is just 41 MB with only 123 packages.\u00a0<\/p>\n

By switching to a Docker Hardened Image, we reduced the image size by nearly 50 percent and cut down the number of packages by more than three times, significantly reducing the attack surface.<\/p>\n

Final Step: Validate with local API tests<\/h2>\n

Last but not least, after migrating to a DHI base image, we should verify that the application still functions as expected.<\/p>\n

Since we\u2019ve already implemented Testcontainers-based tests, we can easily ensure that the API remains accessible and behaves correctly.<\/p>\n

Let\u2019s run the tests using the npm test command.\u00a0<\/p>\n

<\/div>\n

Figure 5: Local API test execution results<\/em><\/p>\n\n

As you can see, the container was built and started successfully. In less than 20 seconds, we were able to verify that the application functions correctly and integrates properly with Postgres.<\/p>\n

At this point, we can push the changes to the remote repository, confident that the application is both secure and fully functional, and move on to the next task.\u00a0<\/p>\n

Further integration with external security tools<\/h2>\n

In addition to providing a minimal and secure base image, Docker Hardened Images include a comprehensive set of attestations. These include a Software Bill of Materials (SBOM), which details all components, libraries, and dependencies used during the build process, as well as Vulnerability Exploitability eXchange (VEX). VEX offers contextual insights into vulnerabilities, specifying whether they are actually exploitable in a given environment, helping teams prioritize remediation.<\/p>\n

Let\u2019s say you\u2019ve committed your code changes, built the application, and pushed a container image. Now you want to verify the security posture using an external scanning tool you already use, such as Grype or Trivy. That requires vulnerability information in a compatible format, which Docker Scout can generate for you.<\/p>\n

First, you can view the list of available attestations using the docker scout attest command:<\/p>\n

\ndocker scout attest list demonstrationorg\/movie-catalog-service-dhi:v1 –platform linux\/arm64\n<\/div>\n

This command returns a detailed list of attestations bundled with the image. For example, you might see two OpenVEX files: one for the DHI base image and another for any custom exceptions (like no-dsa) specific to your image.<\/p>\n

Then, to integrate this information with external tools, you can export the VEX data into a vex.json file. Starting Docker Scout v1.18.3 you can use the docker scout vex get command to get the merged VEX document from all VEX attestations:<\/p>\n

\ndocker scout vex get demonstrationorg\/movie-catalog-service-dhi:v1 –output vex.json\n<\/div>\n

This generates a vex.json file containing all VEX statements for the specified image. Tools that support VEX can then use this file to suppress known non-exploitable CVEs.<\/p>\n

To use the VEX information with Grype or Trivy, pass the \u2013vex flag during scanning:<\/p>\n

\ntrivy image demonstrationorg\/movie-catalog-service-dhi:v1 –vex vex.json\n<\/div>\n

This ensures your security scanning results are consistent across tools, leveraging the same set of vulnerability contexts provided by Docker Scout.<\/p>\n

Conclusion<\/h2>\n

Shifting left is about more than just early testing. It\u2019s a proactive mindset for building secure, production-ready software from the beginning.<\/p>\n

This shift-left approach combines:<\/p>\n

Real infrastructure testing using Testcontainers<\/p>\n

End-to-end supply chain visibility and actionable insights with Docker Scout<\/p>\n

Trusted, minimal base images through Docker Hardened Images<\/p>\n

Together, these tools help catch issues early, improve compliance, and reduce security risks in the software supply chain.<\/p>\n

Learn more and request access to Docker Hardened Images!<\/a><\/p>","protected":false},"excerpt":{"rendered":"

In today\u2019s fast-paced world of software development, product teams are expected to move quickly: building features, shipping updates, and reacting […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[],"class_list":["post-2428","post","type-post","status-publish","format-standard","hentry","category-docker"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2428"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2428\/revisions"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2428"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}