mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-06 07:48:57 +03:00
31 lines
953 B
Markdown
31 lines
953 B
Markdown
# Standards Reference: Container Image Hardening
|
|
|
|
## CIS Docker Benchmark v1.6.0 - Image Controls
|
|
|
|
- 4.1: Create a user for the container
|
|
- 4.2: Use trusted base images
|
|
- 4.3: Do not install unnecessary packages
|
|
- 4.4: Scan and rebuild images for security patches
|
|
- 4.6: Add HEALTHCHECK instruction
|
|
- 4.7: Do not use update instructions alone
|
|
- 4.9: Use COPY instead of ADD
|
|
- 4.10: Do not store secrets in Dockerfiles
|
|
- 4.11: Install verified packages only
|
|
|
|
## NIST SP 800-190 Application Container Security Guide
|
|
|
|
### Image Hardening (Section 4.1)
|
|
- Use minimal base images to reduce attack surface
|
|
- Remove unnecessary tools, shells, and package managers
|
|
- Scan images for vulnerabilities before deployment
|
|
- Sign images for integrity verification
|
|
|
|
## OWASP Docker Security Cheat Sheet
|
|
|
|
- Use multi-stage builds
|
|
- Run as non-root user
|
|
- Use read-only root filesystem
|
|
- Pin base images to digests
|
|
- Drop all Linux capabilities
|
|
- Enable seccomp profile
|