These risks are not unique to Docker Hub, and as technology has grown and evolved, more and more of the baseline code and images we use are pulled, effectively, from unvetted sources on the public internet. Is the Docker image you pulled into your environment from a repo that was compromised? Is there now undetected malicious code in the image? We’ve traded security and trust for velocity and ease of use.
What can be done to restore trust to our workflows? Our services? Our automated build pipelines? Our services and applications? In the case of Docker, there are a few steps that make sense and will improve the security of your containers.
- Build your own images. Start with a base OS and add your applications and services on top of that.
- Scan your images as part of your image build pipeline. Open source tools such as Clair and Anchore make this a straightforward task.
- Use Notary from the Cloud Native Computing Foundation (CNCF) to sign your container images.
Those items are a great start to running secure and trusted containerized workloads in your environment. Last is to implement zero trust networking and only allow trusted applications to communicate on your network, containerized or not. We at Edgewise Networks can help with that and would love to talk about how.