Container Security
Secure Docker containers for production deployments.
Base Image Selectionβ
# Use minimal, non-root images
FROM node:20-alpine AS runtime
RUN addgroup -g 1001 gauzy && adduser -u 1001 -G gauzy -s /bin/sh -D gauzy
USER gauzy
Security Hardeningβ
Read-Only Filesystemβ
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
Resource Limitsβ
resources:
limits:
cpu: "2"
memory: "2Gi"
requests:
cpu: "500m"
memory: "512Mi"
Image Scanningβ
# Scan with Trivy
trivy image ghcr.io/ever-co/gauzy-api:latest
# Scan with Docker Scout
docker scout cves ghcr.io/ever-co/gauzy-api:latest
Best Practicesβ
| Practice | Description |
|---|---|
| Multi-stage builds | Minimize image size |
| .dockerignore | Exclude secrets, dev files |
| No root | Run as non-root user |
| Pin versions | Use exact image tags |
| Scan regularly | CI/CD vulnerability scanning |
| Limit capabilities | Drop ALL, add only needed |
| Read-only FS | Prevent runtime file writes |
| Health checks | Container-level health probes |
Related Pagesβ
- Docker Multi-Stage Optimization β build optimization
- Kubernetes Deployment β K8s
- Vulnerability Scanning β scanning