Secrets Management, Dependencies, and Security in CI/CDLesson 6.5
Docker and container security basics for developers
non-root container user, minimal base images, .dockerignore, read-only filesystem, environment variable injection, no secrets in Dockerfile, image scanning with Trivy
Container Security Basics
Containers reduce attack surface but introduce their own risks. Most container vulnerabilities come from overly permissive configurations that can be fixed in the Dockerfile.
Secure Dockerfile Pattern
# Use minimal base image — fewer packages = smaller attack surface
FROM node:20-alpine
# Create non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
WORKDIR /app
# Copy package files first for layer caching
COPY package*.json ./
RUN npm ci --only=production
# Copy application code
COPY src/ ./src/
# Switch to non-root user — never run as root in production
USER appuser
EXPOSE 3000
CMD ["node", "src/index.js"].dockerignore — Prevent Secret Leakage
.env
.env.*
.git
node_modules
*.log
*.pem
*.key
README.md
docs/Scanning Images for Vulnerabilities
# Trivy scans your image for CVEs in OS packages and npm deps
docker build -t myapp .
trivy image myapp
# In GitHub Actions
- name: Scan Docker image
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:latest
exit-code: '1'
severity: 'HIGH,CRITICAL'Never Bake Secrets into Images
Secrets in a Dockerfile (ENV SECRET=...) are visible in image layers and image history (docker history). Pass secrets at runtime via environment variables (docker run -e SECRET=$VALUE) or a secrets manager.