[TBD]Docker Security scan: Safety measure for docker containers published to Docker hub

Introduction

Laymen explanation

If you have used docker container, you might have find it very convenient to download the right container over choice of many. You must be delighted that now, for any requirement, you don't have to write container yourself or follow up with someone who agreed to make container for you. But what about the container safety. Is it safe to trust docker container? Are you sure that your container will not be hacked? Are you sure that your container will not have malware? This article helps in this regard.

Technical explanation

Potential security lapses

• • The container may contain actual malware. Is this likely, no one knows. Is it possible, yes.

  • The container may contain insecure software. Dockerfiles are basically like batch scripts that build a machine. I've seen several that do things like download files over unencrypted HTTP connections and then run them as root in the container. For me that's not a good way to get a secure container

  • The container may set an insecure settings. Docker is all about automating set-up of software which means that you are, to an extent, trusting all the people who made the dockerfiles to have configured them as securely as you would have liked them to.

Someone can argue it is the same question as whether open source software is trustworthy. But IMHO, the risk of using community Docker containers is somewhat higher than the risks of using open source software. It is due to the fact that community Docker containers need not be open source. Note that Open source code brings the advantage of community evaluation of code/design level security vulnerabilities.

As to whether this is "worth the risk", I'm afraid that's a decision only you can really make. You are trading off the time needed to develop and maintain your own images, against the increased risks that someone involved in the production of the software you download will either be malicious or have made a mistake with regards to the security of the system.

Risk mitigation suggestion

• If you trust the provider then you can trust their Docker product. For example, google container provided by google company can be trusted.

  • Protect the channel to download docker container. If not, hacker can replace the genuine container with his own. If you are using docker repository, use secure channel (https)

Observation from CIS security standard

CIS security standard for docker section 4.2 observes following

Official repositories are Docker images curated and optimized by the Docker community or the vendor. But,the Docker container image signing and verification feature is not yet ready.

Hence, the Docker engine does not verify the provenance of the container images by itself.

You should thus exercise a great deal of caution when obtaining container images.

Reference

https://security.stackexchange.com/questions/88790/is-it-safe-to-trust-a-docker-container