DEV Community

Cover image for Stop Shipping Broken Docker Images
Nick Ciolpan
Nick Ciolpan

Posted on • Edited on

Stop Shipping Broken Docker Images

docker-scan-lite after seeing too many prod incidents from:

  • FROM ubuntu:latest
  • USER root
  • Hardcoded API keys
  • No version pinning

DON'T

Last week: seen container compromised because someone deployed with root user + hardcoded API key.

This happens. We write Dockerfiles in a hurry:

  • FROM ubuntu:latest (no time for versions)
  • USER root (it just works)
  • Hardcoded secrets (just for testing)
  • No pinning (build's failing, gotta ship)

we hear warnings but keep driving.

DO

go install github.com/nickciolpan/docker-scan-lite@latest
docker-scan-lite scan Dockerfile
Enter fullscreen mode Exit fullscreen mode

Catches:

  • Vulnerable base images
  • Hardcoded secrets
  • Root user configs
  • Insecure commands
  • Unpinned packages

Real output:

🐳 Docker Scan Lite Results
📊 Summary: 3 issues found
🔒 Security Issues
  ⚠️ [HIGH] Container running as root user (line 15)
  ⚠️ [MEDIUM] Using 'latest' tag not recommended (line 1)
  ⚠️ [LOW] Package installation without version pinning (line 8)
Enter fullscreen mode Exit fullscreen mode

Setup (30 seconds)

Add to CI:

- name: Scan Dockerfile
  run: docker-scan-lite scan Dockerfile
Enter fullscreen mode Exit fullscreen mode

30 seconds to install. Catches stupid mistakes before production.

GitHub: https://github.com/nickciolpan/docker-scan-lite

What's your worst Docker security mistake?

Docker #DevOps #Security

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.