Dockerfile Security Best Practices: A Complete Guide to Building Secure Docker Images

Dockerfile security is a critical part of container security. Even if you use hardened base images, insecure Dockerfile practices can introduce vulnerabilities into your environment.

In this guide, you will learn practical Dockerfile security best practices to build secure, production-ready container images.

What is Dockerfile Security?

Dockerfile security refers to the practices used to reduce vulnerabilities and misconfigurations while building container images.

A secure Dockerfile helps:

• Reduce attack surface

• Prevent privilege escalation

• Avoid leaking sensitive data

• Ensure consistent and reproducible builds

Why Dockerfile Security is Important

A poorly written Dockerfile can lead to:

• Containers running as root

• Exposure of secrets

• Inclusion of vulnerable or unnecessary packages

Securing your Dockerfile is the first step toward securing your containers.

1. Use Minimal and Trusted Base Images

Using minimal base images reduces the number of installed packages and potential vulnerabilities.

Avoid:

FROM ubuntu:latest

Use:

FROM node:18.20.2-alpine

Best options:

• Alpine-based images

• Official images from trusted registries

• Distroless images for production

2. Avoid Using Latest Tag

Using latest can introduce breaking changes and vulnerabilities.

Bad practice:

FROM node:latest

Recommended:

FROM node:18.20.2-alpine

This ensures reproducibility and stability.

3. Run Containers as Non-Root User

Running containers as root increases security risks.

RUN adduser -D appuser
USER appuser

This limits the impact of a compromise.

4. Install Only Required Dependencies

Installing unnecessary tools increases the attack surface.

RUN apt-get update && apt-get install -y nodejs \
 && rm -rf /var/lib/apt/lists/*

Always remove cache and avoid extra packages.

5. Use Multi-Stage Builds

Multi-stage builds separate build-time and runtime dependencies.

# Build stage
FROM node:18 AS builder
WORKDIR /app
COPY . .
RUN npm install && npm run build

# Runtime stage
FROM node:18-alpine
WORKDIR /app
COPY --from=builder /app/dist .
CMD ["node", "app.js"]

This reduces image size and improves security.

6. Do Not Hardcode Secrets

Avoid storing secrets in Dockerfiles.

ENV API_KEY=123456

Use environment variables or secret managers instead.

7. Use .dockerignore to Exclude Sensitive Files

Prevent sensitive files from being added to the image:

node_modules
.git
.env
*.log

This improves both security and performance.

8. Set Proper File Permissions

RUN chown -R appuser:appuser /app

Proper permissions prevent unauthorized access.

9. Prefer COPY Over ADD

COPY . .

COPY is predictable and avoids unintended behavior.

10. Scan Images for Vulnerabilities

Use tools like Trivy:

trivy image myapp:latest

Scanning helps detect vulnerabilities early in the development cycle.

Secure Dockerfile Example

FROM node:18.20.2-alpine

RUN addgroup -S appgroup && adduser -S appuser -G appgroup

WORKDIR /app

COPY package*.json ./
RUN npm install --only=production

COPY . .

RUN chown -R appuser:appgroup /app

USER appuser

EXPOSE 3000

CMD ["node", "app.js"]

Docker Security Series

• Part 1: Hardened Docker Images

• Part 2: Dockerfile Security Best Practices

• Part 3: Scanning Docker Images with Trivy (next)

Conclusion

Dockerfile security is essential for building secure container images. By following these best practices, you can reduce vulnerabilities, enforce least privilege, and create production-ready containers.

Frequently Asked Questions

What is the most important Dockerfile security practice?

Running containers as a non-root user and using minimal base images are among the most critical practices.

Why should I avoid using latest tag in Docker?

It creates unpredictable builds and may introduce vulnerabilities without notice.

How do I scan Docker images for vulnerabilities?

You can use tools like Trivy to scan images during development and CI/CD pipelines.