Security & Compliance Standards

Audience: DevOps engineers, security teams, contributors, auditors

WHAT

Comprehensive documentation of security standards and compliance requirements for Docker containers and Shell/Bash scripts implemented in the DCK project.

WHY

Centralised standards documentation ensures every contributor understands and can validate the security posture of the project.

HOW

Docker Standards

CIS Docker Benchmark

• Purpose: Security hardening guidelines
• Controls: 52 security controls
• Coverage: 23 build-time, 28 runtime, 1 excluded
• Focus: Container security configuration

OWASP Container Security

• Purpose: Top 10 container security risks
• Risks Mitigated: 8/10 fully, 2/10 runtime
• Focus: Vulnerability prevention
• Scope: Application security in containers

Docker Official Images

• Purpose: Quality and maintainability standards
• Requirements: 15 standards
• Coverage: 15/15 fully implemented
• Focus: Production-ready images

Shell/Bash Standards

Bash Security Guidelines

• Purpose: Shell script security best practices
• Controls: 10 security categories
• Coverage: Command injection, path security, input validation
• Focus: Secure shell scripting

ShellCheck Rules

• Purpose: Static analysis and code quality
• Rules: 224 total rules across 4 severity levels
• Coverage: Errors, warnings, info, style
• Focus: Bug prevention and best practices

POSIX Shell Compliance

• Purpose: Cross-platform shell compatibility
• Standards: POSIX.1-2017 compliance
• Coverage: Portable shell features and syntax
• Focus: Universal Unix compatibility

Bash Style Guide

• Purpose: Coding standards and conventions
• Based on: Google Shell Style Guide
• Coverage: Naming, formatting, error handling
• Focus: Maintainable and readable code

Quick Compliance Matrix

Docker Standards

| Standard | Compliance | Build-time | Runtime | Documentation | |———-|————|————|———|—————| | CIS Docker Benchmark | 85% | ✅ 23/24 | ⚠️ 28/28 | View | | OWASP Container Top 10 | 80% | ✅ 8/10 | ⚠️ 2/10 | View | | Docker Official Images | 100% | ✅ 15/15 | N/A | View |

Shell/Bash Standards

| Standard | Compliance | Critical | Warnings | Documentation | |———-|————|———-|———-|—————| | Bash Security | 100% | ✅ 10/10 | N/A | View | | ShellCheck Rules | 95% | ✅ 45/45 | ⚠️ 85/89 | View | | POSIX Compliance | 70% | ⚠️ Bash-specific | ⚠️ Arrays used | View | | Style Guide | 90% | ✅ Consistent | ⚠️ Line length | View |

Implementation Summary

Fully Implemented (46 Controls)

• Non-root user enforcement
• Health check monitoring
• Version pinning (base + packages)
• Vulnerability scanning (3 tools)
• Minimal attack surface
• No hardcoded secrets
• Build reproducibility
• Multi-variant images
• Comprehensive documentation

Runtime Configuration (30 Controls)

• Resource limits (memory, CPU, PIDs)
• Security options (AppArmor, SELinux)
• Network segmentation
• Read-only filesystem
• Capability restrictions
• TLS/encryption

Metrics

• Total Standards: 3 major frameworks
• Total Controls: 77 security controls
• Build-time Controls: 46 (100% implemented)
• Runtime Controls: 30 (configuration required)
• Excluded Controls: 1 (sudo in containers)

Usage Examples

Maximum Security Configuration

Combining all three standards for maximum security:

docker run \
  --rm \
  --name secure-dck \
  --read-only \
  --tmpfs /tmp:noexec,nosuid,size=100m \
  --security-opt=no-new-privileges:true \
  --security-opt apparmor=docker-default \
  --cap-drop=ALL \
  --cap-add=NET_BIND_SERVICE \
  --memory=512m \
  --memory-reservation=256m \
  --memory-swap=512m \
  --cpus=1 \
  --cpu-shares=512 \
  --pids-limit=100 \
  --ulimit nofile=1024:2048 \
  --user=1000:1000 \
  --restart=on-failure:5 \
  --network=isolated \
  --health-cmd="dck version" \
  --health-interval=30s \
  --health-timeout=3s \
  --health-retries=3 \
  dck:minimal

Development Configuration

Balanced security for development:

docker run \
  --rm \
  -it \
  --user=1000:1000 \
  --cap-drop=ALL \
  --cap-add=NET_BIND_SERVICE,SYS_PTRACE \
  --memory=1g \
  --cpus=2 \
  dck:latest

CI/CD Configuration

For automated testing:

docker run \
  --rm \
  --user=1000:1000 \
  --cap-drop=ALL \
  --memory=2g \
  --cpus=2 \
  --pids-limit=200 \
  --read-only \
  --tmpfs /tmp \
  dck:multistage test

Validation Tools

Automated Compliance Checking

# CIS Docker Benchmark
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  docker/docker-bench-security

# OWASP Dependency Check
docker run --rm \
  -v $(pwd):/src \
  owasp/dependency-check \
  --scan /src --format ALL

# Trivy Security Scan
trivy image --severity HIGH,CRITICAL dck:minimal

# Docker Scout
docker scout cves --only-severity critical,high dck:minimal

Manual Verification

# Verify non-root user
docker run --rm dck:minimal whoami
# Expected: dck

# Check for sudo
docker run --rm dck:minimal which sudo
# Expected: sudo: not found (in production)

# Verify health check
docker inspect dck:minimal | jq '.[0].Config.Healthcheck'
# Expected: Health check configuration

# Check image size
docker images dck --format "table :\t"

Continuous Compliance

GitHub Actions Integration

All three standards are validated automatically:

1. On Push: Dockerfile linting (Hadolint)
2. On PR: Security scanning (Trivy, Scout)
3. Weekly: Full compliance audit
4. On Release: Official image standards check

Local Development

# Pre-commit hooks
pre-commit install

# Run all checks
make docker-security-check

# Generate compliance report
make compliance-report

References

Standards Documentation

• CIS Docker Benchmark
• OWASP Container Security
• Docker Official Images

Tools

• Docker Bench Security
• Trivy Scanner
• Hadolint
• Docker Scout

Additional Resources

• NIST Container Security
• Docker Security Best Practices
• Kubernetes Security