11.1 Image Security

Image security covers the practices specifically focused on the container image itself — where it comes from, what known vulnerabilities its installed packages might carry, and how minimal its actual content is — distinct from runtime security concerns that apply once a container built from that image is actually running.

Why the Image Is the Starting Point for Security

Every container's security posture begins with the image it's built from — a compromised or vulnerable base image carries that risk forward into every container subsequently created from it.

FROM node:20-alpine

Choosing a well-maintained, minimal, official base image is the first and most foundational image security decision a Dockerfile makes.

Scanning for Known Vulnerabilities

Regularly scanning an image's installed packages against a known vulnerability database surfaces issues that should be addressed before deployment.

docker scout cves myapp:1.0

Why Minimal Images Reduce Attack Surface

An image containing only what's actually needed to run the application — as opposed to a full general-purpose operating system image with many unnecessary tools and libraries — has fewer potential vulnerabilities and a smaller attack surface overall.

FROM node:20-alpine

FROM ubuntu:22.04
RUN apt-get update && apt-get install -y nodejs npm

The first, more minimal approach generally carries less unnecessary content (and therefore less potential vulnerability surface) than the second.

Keeping Base Images Current

Periodically rebuilding against an updated base image ensures security patches released for that base are actually incorporated into dependent images.

docker build --pull -t myapp:1.0 .

Why Image Security Matters

Since every container inherits the security characteristics of the image it's built from, deliberate attention to image source, vulnerability scanning, and minimalism is foundational to a secure container deployment, addressing risk before a container is even started.