{"id":13442957,"url":"https://github.com/OWASP/Docker-Security","last_synced_at":"2025-03-20T15:31:37.239Z","repository":{"id":38045218,"uuid":"146892809","full_name":"OWASP/Docker-Security","owner":"OWASP","description":"Getting a handle on container security","archived":false,"fork":false,"pushed_at":"2023-12-04T14:12:56.000Z","size":5682,"stargazers_count":613,"open_issues_count":18,"forks_count":129,"subscribers_count":52,"default_branch":"main","last_synced_at":"2024-05-01T11:53:13.638Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://owasp.org/www-project-docker-top-10/","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OWASP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"License.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-08-31T13:03:09.000Z","updated_at":"2024-04-28T02:55:59.000Z","dependencies_parsed_at":"2024-01-13T09:36:20.743Z","dependency_job_id":"49bca5ae-a707-4cd4-a316-2acf71c3183d","html_url":"https://github.com/OWASP/Docker-Security","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FDocker-Security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FDocker-Security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FDocker-Security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FDocker-Security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OWASP","download_url":"https://codeload.github.com/OWASP/Docker-Security/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244640070,"owners_count":20485978,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T03:01:53.848Z","updated_at":"2025-03-20T15:31:36.758Z","avatar_url":"https://github.com/OWASP.png","language":"Dockerfile","funding_links":[],"categories":["Dockerfile","Blogs","博客：获取前沿实践与漏洞动态"],"sub_categories":[],"readme":"Docker Security\n===============\n\nThis is the OWASP Docker Top 10. It's a work in progress.\n\n## About this document\n\nThis document describes the most important 10 security bullet points for\nbuilding a secure containerized environment. You can use it as a specification\nsheet if you start from scratch, alternatively handing it to a contractor who\nwill do this for you.\n\nIt can also be used to audit or secure an existing installation but especially\nhere you should start thinking about security very early. Best is in the design\nphase. Later on it becomes either difficult to change some decisions you made or\nthey become costly, in terms of money or time.\n\n### Name\n\nAlbeit the document's name resembles the OWASP Top 10 it's quite different.\nFirst, it is not about risks which are based on data collected as the OWASP Top\n10. Secondly the 10 bullet points here resemble (proactive) controls.\n\n### For whom is this?\n\nThis guide is for developers, auditors, architects, system and networking\nengineers. As indicated above you can also use this guide for external\ncontractors to add formal technical requirements to your contract. The\ninformation security officer should have some interest too to meet baseline\nsecurity requirements and beyond.\n\nThese 10 bullet points are mostly (see below this paragraph) about system and\nnetwork security and system and network architecture. As a developer you don't\nhave to be an expert in those -- that's what this guide is for. But as indicated\nabove best is to start thinking about and addressing those points early. Please\ndo not just start building it.\n\nOne of the bullet points should not be misunderstood: Patch management is not a\ntechnical point. It's a management process. Last but not least for technical or\ninformation security management who has not been much worried about\ncontainerization this document also provides insights about the risks involved.\n\n### Structure of this document\n\nSecurity in Docker environments seemed often to be misunderstood. It was`/`is a\nhighly disputed matter what the threats are supposed to be. So before diving\ninto the Docker Top 10 bullet points, the threats need to be modeled which is\nhappening upfront in this document. It not only helps to understand any security\nimpacts but also gives you the ability to prioritize your tasks.\n\n### Contribution\n\nPlease see CONTRIBUTING.md. To ease contributions to the the open points please\nfile your PRs against the corresponding dev branches (D06_dev, D07_dev, ...).\n\n\n### How to Build PDF version\n\nYou can build yourself a PDF version as long as you have Docker and docker-compose\ninstalled.\n\n```\ndocker-compose run --rm build\n```\n\nIt's not frequently updated in this repository as it otherwise clogs this repo.\n\n## FAQ\n\n### Why not \"Container Security\"\n\nAlbeit the name of this project carries the word \"Docker\", it also can be used\nwith little abstraction for other containment solutions. Docker is as of now the\nmost popular one, so the in-depth details are focusing for now on Docker. This\ncould change later.\n\n### A single container?\n\nIf you run more than 3 containers on a server you probably have an orchestration\nsolution to manage them. _Specific_ security pitfalls of such a tool are\ncurrently beyond the scope of this document. That does not mean that this guide\nis just concerning one or a few containers managed manually -- on the contrary.\nIt means only that we're looking at the containers including their networking\nand their host systems in such an orchestrated environment and not on special\npitfalls of e.g. _Kubernetes_, _Swarm_, _Rancher_ or _OKD/OpenShift_.\n\n### Why ten?\n\nTo be honest for us humans the number 10 sounds catchy and while putting it all\ntogether those 10 were considered to be the most important ones.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2FDocker-Security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FOWASP%2FDocker-Security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2FDocker-Security/lists"}