Container images are immutable templates used to create container instances. They consist of layered filesystems built from a base image.
Image components
- Base image: Operating system layer (Alpine, Ubuntu, Distroless).
- Dependencies: Libraries, frameworks, runtime environments.
- Application code: Your compiled or interpreted application.
- Configuration: Environment variables, config files.
- Metadata: Labels, exposed ports, entrypoint commands.
Security considerations
- Base image selection: Minimal images reduce attack surface.
- Vulnerability scanning: Scan images for known CVEs.
- Image signing: Verify image integrity and provenance.
- Secret management: Never bake secrets into images.
- Non-root users: Run processes as non-privileged users.
Best practices
- Use specific version tags, not
latest. - Choose minimal base images (Alpine, Distroless).
- Multi-stage builds to exclude build tools.
- Scan images in CI/CD before pushing to registry.
- Implement image lifecycle policies (expire old images).
- Sign images with Cosign or Notary.
Common vulnerabilities
- Outdated base images with unpatched OS packages.
- Vulnerable application dependencies.
- Exposed secrets in image layers.
- Running as root user.
- Unnecessary packages increasing attack surface.
Related Articles
View all articlesCloud Penetration Testing: A Complete Guide for AWS, Azure, and GCP
Cloud penetration testing requires different approaches than traditional network testing. Learn cloud provider policies, testing methodologies, and common findings across AWS, Azure, and GCP environments.
Read article →AWS Fargate Explained: Serverless Containers Without Managing Servers
Learn what AWS Fargate is, how it compares to EC2 for containers, pricing considerations, and when to use Fargate vs ECS on EC2. Complete guide for decision-makers.
Read article →Continuous Compliance Monitoring Guide: Real-Time Security Controls & Evidence Collection
Master continuous compliance monitoring for SOC 2, ISO 27001, and HIPAA. Learn real-time control monitoring, automated evidence collection, alerting strategies, compliance dashboards, and CI/CD integration with practical implementation patterns.
Read article →Service Account Security: Managing Non-Human Identities in Cloud Environments
Non-human identities now outnumber human users 50:1. Learn how to secure service accounts, API keys, and machine identities across AWS, Azure, and GCP to prevent the most common cloud breaches.
Read article →Explore More DevSecOps
View all termsContainer Registry
A repository for storing, managing, and distributing container images, providing version control and access management.
Read more →Dynamic Application Security Testing (DAST)
Testing a running application from the outside to discover security vulnerabilities by simulating attacks.
Read more →Immutable Infrastructure
An infrastructure paradigm where servers are never modified after deployment; changes require replacing instances with new ones built from updated images.
Read more →Infrastructure as Code (IaC)
Managing and provisioning infrastructure through machine-readable configuration files rather than manual processes.
Read more →Policy as Code
Defining and enforcing security, compliance, and operational policies through code that can be versioned, tested, and automated.
Read more →Runtime Security
Monitoring and protecting applications during execution to detect and prevent attacks in real-time.
Read more →