{ "slug": "container_security", "term": "Container Security", "category": "devops", "difficulty": "intermediate", "short": "Security practices for building and running containers — minimal base images, non-root users, read-only filesystems, image scanning, and runtime security controls.", "long": "Container security spans the full lifecycle: build (minimal base images, no secrets in layers, multi-stage builds), ship (image scanning for CVEs, signed images), run (non-root user, read-only filesystem, dropped capabilities, seccomp profiles, network policies). Containers share the host kernel — a container escape gives access to the host. PHP containers should run as a non-root user, have no write access to the application directory, and have sensitive directories mounted read-only.", "aliases": [ "Docker security", "container hardening", "image scanning" ], "tags": [ "devops", "security", "containers", "docker" ], "misconception": "Containers provide strong isolation from the host — containers share the kernel; a kernel exploit or misconfigured container can escape to the host; containers are not VMs.", "why_it_matters": "A PHP application compromise in a misconfigured container gives the attacker root inside the container and potentially on the host — container security limits the blast radius.", "common_mistakes": [ "Running containers as root — if the container is compromised, the attacker has root inside it.", "Secrets in Dockerfile ENV or image layers — image history exposes them; use secrets management or runtime injection.", "Using :latest tags — unpredictable base image changes break reproducibility and introduce unknown vulnerabilities.", "Not scanning images for CVEs — vulnerable base images are used in production without awareness." ], "when_to_use": [], "avoid_when": [], "related": [ "containerisation", "cloud_security_shared_model", "principle_of_least_privilege", "php_deployment_pipeline" ], "prerequisites": [ "containerisation", "docker_multistage", "principle_of_least_privilege" ], "refs": [ "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html" ], "bad_code": "# Insecure Dockerfile:\nFROM php:latest # Unpinned, unknown contents\nRUN apt-get install -y curl # Extra attack surface\nCOPY . /app\nCOPY .env /app/.env # Secrets in image layer!\nUSER root # Running as root\nEXPOSE 80", "good_code": "# Hardened Dockerfile:\nFROM php:8.3.4-fpm-alpine AS runtime # Pinned, minimal\nRUN addgroup -g 1001 app && adduser -D -u 1001 -G app app\nWORKDIR /app\n\n# Copy only production files, no secrets:\nCOPY --chown=app:app src/ ./src/\nCOPY --chown=app:app vendor/ ./vendor/\n\nUSER app # Non-root\nEXPOSE 9000\n# Secrets injected at runtime via env vars or secrets manager", "quick_fix": "Run PHP-FPM as a non-root user (USER www-data), use read-only filesystem, drop all capabilities except NET_BIND_SERVICE, and scan images weekly with Trivy", "severity": "high", "effort": "medium", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/container_security", "html_url": "https://codeclaritylab.com/glossary/container_security", "json_url": "https://codeclaritylab.com/glossary/container_security.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Container Security](https://codeclaritylab.com/glossary/container_security) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/container_security" } } } }