Docker Security

Rootless containers, secrets management, and scanning

Docker

Security

Use in Builder All Docker Options

Details

Language / Topic

Docker

Rules

Docker Security · balanced balanced

- Run containers as a non-root user using the `USER` directive.

- Never embed secrets in Environment Variables during build (`ENV`) or hardcode them in the Dockerfile.

- Always append a `USER` directive with a non-root UID at the end of your Dockerfiles. Root inside a container is root on the host if privileged.

- Do not bake secrets (API keys, passwords) into the image via `ENV` or `ARG` statements. Use Docker BuildKit secrets (`--mount=type=secret`) during compilation.

- Mount the container root filesystem as read-only (`--readonly`) wherever possible to mitigate unauthorized binary execution.