{"id":15748074,"url":"https://github.com/stonecypher/docker_image_security_checklist","last_synced_at":"2026-01-08T08:10:17.516Z","repository":{"id":144596709,"uuid":"192607574","full_name":"StoneCypher/Docker_image_security_checklist","owner":"StoneCypher","description":"Let's make a checklist of things you're supposed to do","archived":false,"fork":false,"pushed_at":"2019-07-10T16:05:03.000Z","size":5,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-06T11:28:12.351Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/StoneCypher.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-06-18T20:23:19.000Z","updated_at":"2021-06-12T08:19:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"856c61ba-0758-423a-9bbb-f2bc9c16b72b","html_url":"https://github.com/StoneCypher/Docker_image_security_checklist","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StoneCypher%2FDocker_image_security_checklist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StoneCypher%2FDocker_image_security_checklist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StoneCypher%2FDocker_image_security_checklist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StoneCypher%2FDocker_image_security_checklist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/StoneCypher","download_url":"https://codeload.github.com/StoneCypher/Docker_image_security_checklist/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246429448,"owners_count":20775805,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-04T05:40:31.542Z","updated_at":"2026-01-08T08:10:17.497Z","avatar_url":"https://github.com/StoneCypher.png","language":null,"readme":"# docker_image_security_checklist\nLet's centralize what needs to be done for any arbitrary docker image's security\n\nThis list regards the docker image itself.  You probably also need to check other security checklists, such as the [Service security checklist](https://github.com/StoneCypher/Service_security_checklist/blob/master/README.md).\n\n\nThis list can then just be copy-pasta-ed into a given readme to validate the work later\n\n## Checklist\n\n1. [ ] Blind the docker images to anything on the network except things they need to be able to see\n1. [ ] Reduce the privileges of the `docker` user\n    - User should only be able to read necessary dependencies outside of application code\n    - User should only be able to write to specific locations (tmp, log, etc.)\n1. [ ] Non-public connections between microservices are all authenticated\n1. [ ] Consider a `metadata reverse proxy`\n    * TODO: Explanation is warranted here\n1. [ ] Remember to use load balancers in the fashion of firewalls\n1. [ ] (not enough notes were taken) Reverse DNS\n1. [ ] Be careful to extensively lock your database down\n1. [ ] Set up periodic monitoring of time-limited resources like SSL certificates\n1. [ ] Uptime, Health, Readiness and Resource usage monitors monitors\n1. [ ] Catastrophic takeover replacement plan\n1. [ ] Hard-specify your base image and avoid use of latest\n1. [ ] Consider using multi-staged builds and smaller base images (alpine) to minimize attack surface\n\n## AWS specific stuff\n1. [ ] Where possible, use AWS VPC\n1. [ ] In Cloudtrail, set up another account unrelated to the production account\n    1. [ ] Logs go there, to raise the workload for an attacker hiding their tracks\n    1. [ ] Use a role that cannot edit logs after the fact\n    1. [ ] Use completely distinct authentication\n1. [ ] Look into SSM as an alternative to SSH, and in that case, disable SSH\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstonecypher%2Fdocker_image_security_checklist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstonecypher%2Fdocker_image_security_checklist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstonecypher%2Fdocker_image_security_checklist/lists"}