Are Docker images and containers secure?
This was one of my first questions when I started using Docker. I saw commands that pulled images of OSes and containers of install software and saw output of even more software running as it installed and ran various images and containers on my box–no prompts . . . just installing and installing. It was then that I asked myself, “How do I know if anyone has put any malicious code in here or not? Yikes!”
The answer is, “I don’t!”
We place a tremendous amount of trust in these hubs and other hubs like NuGet and NPM. When working with enterprise applications, we have to be careful we aren’t inadvertently giving someone the keys to the kingdom.
So, I did some Googling and found this article which takes you through a few things that can help you in quickly checking out Dockerfiles and understand what they are doing and what to watch out for. These steps surely won’t give you absolute certainty. For that, you’d have to inspect ALL the code. Most of us don’t have the time for that. But, the steps he lays out sure are better than just blindly running images and containers.
Be careful out there . . .