Hardening: Non-root and Minimal Base
An image that works is not necessarily an image that is safe to deploy. In this lesson we focus on one theme: reduce what can be attacked. We run the container as a non-root user (the default in a container is root, and the USER instruction drops us to a limited user so a breach does less damage), c
Give a worker only the keys they need (non-root), and keep the toolbox small (minimal base) — so even if someone breaks in, they have fewer keys and fewer tools to play with.
- non-root user (USER)
- Running the container process under a limited-privilege user instead of root. The USER instruction in a Dockerfile sets it and limits the damage (blast radius) if an attacker gains code execution.
- minimal base image
- A small base like alpine or distroless with few packages and tools. The less that is installed in the image, the fewer possible vulnerabilities and the smaller the attack surface.
- image scanning (CVE)
- An automated check of the image against a database of known vulnerabilities (CVEs) in its libraries and base. The scan flags vulnerable packages, so you pin versions and update.