Container Security

# Container Security

Containers are secure by default, but you need to configure them correctly.

## Image Security

**Minimal Base Images**

Use Alpine or distroless images. Less software = smaller attack surface.

**Scan for Vulnerabilities**

Trivy, Clair, or Snyk in your CI/CD pipeline.

**Sign Images**

Docker Content Trust ensures image authenticity.

## Runtime Security

**Read-Only Filesystems**

Containers should be immutable. No writes to the filesystem.

**Drop Capabilities**

Run as non-root. Drop unnecessary Linux capabilities.

**Resource Limits**

Prevent resource exhaustion attacks.

## Network Security

- Use network policies

- Implement service mesh for mTLS

- Isolate sensitive workloads

## Secrets Management

Never bake secrets into images. Use:

- Kubernetes Secrets

- HashiCorp Vault

- Cloud provider secret managers

Security is a process, not a product.