Containers · Term

What is Docker image security?

A container is only as safe as the image it runs. Baked-in secrets, vulnerable packages, and untrusted base images are all attacker footholds. Here is what image security covers and how to get it right.

Containers · TermCloud Penetration Testing
TL;DR

Docker image security is making sure the image a container runs from is trustworthy: free of baked-in secrets, free of known-vulnerable packages, built from a trusted base image, and verified before it runs. Images are layered and immutable, so a secret added in one layer stays recoverable even if a later layer deletes it. Weak image hygiene gives attackers credentials, a vulnerable foothold, or a fully poisoned image. Defenses are scanning, minimal trusted bases, no embedded secrets, and signature verification.

By John Dill, Red Team Lead, SecureLayer7Updated

What image security is

A container image is a stack of read-only layers that together form the filesystem the container runs. Image security is ensuring that stack is safe.

The layered, immutable design has a sharp edge: a file (like a secret) added in one layer is still present in that layer’s history even if a later RUN rm appears to delete it. Anyone with the image can unpack the layers and recover it. Image security is about what goes into those layers and where they come from.

What attackers exploit

Image-level footholds attackers look for:

  • Secrets in layers: API keys, cloud credentials, or private keys baked in during build and recoverable from layer history even if "deleted".
  • Vulnerable packages: outdated OS or app dependencies in the image giving a known exploit.
  • Untrusted or typosquatted base images: a poisoned public base that ships a backdoor or miner.
  • `latest` and unpinned tags: pulling a mutable tag so the running image silently changes.

Documented techniques shown for defenders.

How to defend

  • Never bake secrets into images. Use build-time secret mounts or inject at runtime; scan images for leaked credentials.
  • Scan images for vulnerabilities in CI and block on criticals.
  • Use minimal, trusted base images (distroless or slim) from known registries; pin by digest, not latest.
  • Verify signatures (image signing) and use a trusted internal registry.
  • Rebuild and re-scan regularly so patched packages reach production.

References

  1. [1]Docker docs: Build secrets(Docker)
  2. [2]NIST SP 800-190 Application Container Security Guide(NIST)
  3. [3]MITRE ATT&CK: Containers Matrix(MITRE)
Related terms

Common questions

Container security, asked often

Want your containers and clusters tested for these paths?

Scope an engagement

Find the container escape paths before an attacker does.

We test your Docker hosts and Kubernetes clusters the way a real intruder would, from a compromised pod to the node and the rest of the cluster, then hand your team reproducible evidence and a fix for every step. Free re-test included.

See cloud penetration testing30-min scoping call, fixed-price proposal in 48 hours.