Learn how to avoid risks and follow best practices in creating safe and secure Docker images.
If you're bringing your own Docker image, please consider the following security advisoryIf you base your image on anything other than Terra Base Images, you must decide whether you trust the image provider. Even if you want to save time by building on somebody else’s work, it's a risk. From a security point of view, there are better paths to a safe and secure custom Docker than pulling an image.
What's the risk of a third-party image?
Because anyone can publish an image on Docker Hub, third-party containers may contain malware or insecure software, or may set insecure settings. These may result in cryptojacking. For example, a malicious actor who stores malicious code as a Github gist and then RUN curl when the container is built. See this Example of a malicious image in Dockerhub.
Because packages increase the risks, don't install unnecessary packages in your containers.
Recreate from scratch with the third-party image as a template
Try inspecting the Dockerfile and only include parts you feel are trustworthy. Note: Auditing a Dockerfile can sometimes take as long as configuring the image yourself.
Publishing your own images public versus non-public options
Note: Your Docker image does not have to be public if you use GCR. However, if you use DockerHub, the Docker image must be public.