Containers are everywhere in 2026. Docker, Kubernetes, serverless platforms that are containers underneath. This module covers the security concerns specific to the container layer β separate from the Kubernetes module (Cloud Security M4) which focused on orchestration. Here: image supply chain, runtime isolation, secrets, and container escape.
What a container is (and isn’t)
A container is a Linux process with namespaces (isolated view of processes, network, filesystem, users) and cgroups (resource limits). It is not a VM. There’s no hypervisor. A container shares the host kernel.
Implication: kernel vulnerabilities compromise containers. A container escape means a process breaks out of its namespace isolation and reaches the host.
Image supply chain
Every container starts from an image. Every image has a base (Ubuntu, Alpine, Debian, scratch). Every image has layers. Supply-chain concerns:
- Base image freshness β pin to specific digest, rebuild regularly against patched bases
- Layer analysis β scan each layer for CVEs (Trivy, Grype)
- Unnecessary packages β every package is attack surface; use minimal bases
- Registry provenance β pull from trusted registries, verify signatures
- Image signing β Cosign, Notary v2 β verify provenance at deploy time
# Scan an image with Trivy
trivy image --severity CRITICAL,HIGH nginx:1.25
# Pin to digest (immutable)
FROM nginx@sha256:a1b2c3d4... (not FROM nginx:latest)
# Sign an image with Cosign
cosign sign --key cosign.key myregistry/myapp:v1
# Verify at deploy
cosign verify --key cosign.pub myregistry/myapp:v1
Dockerfile hardening
- Non-root user β add
USER directive; never run as root inside container
- Minimal base β distroless, Alpine, scratch where possible
- Multi-stage builds β compile in one stage, copy binary to clean runtime stage
- No secrets in layers β COPY / ENV don’t put secrets (they persist in image history)
- Health checks β
HEALTHCHECK directive for runtime reliability
- Read-only root filesystem β
docker run --read-only; writable tmpfs only where needed
Runtime isolation β the security boundary
Default Docker runs with significant capabilities and limited isolation. Harden every production container:
# Full hardening
docker run \
--user 1000:1000 \ # non-root
--read-only \ # rootfs read-only
--tmpfs /tmp:rw,noexec,nosuid \ # writable tmp with restrictions
--cap-drop ALL \ # drop all capabilities
--cap-add NET_BIND_SERVICE \ # add only what's needed
--security-opt no-new-privileges \ # prevent suid escalation
--security-opt seccomp=profile.json \ # system-call filter
--security-opt apparmor=docker-default \
myimage
Capabilities β the privilege lever
Linux capabilities split root’s “do anything” into granular privileges. A container without capabilities is a nearly-harmless Linux process. Drop all, add only what’s required.
π Intermediate Module Β· Basic Tier
Continue reading with Basic tier (βΉ499/month)
You've read 27% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.
99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
5 more sections locked below
