OWASP Container Security Top 10
Audience: Security teams, DevOps engineers, auditors
WHAT
Mapping of OWASP Container Security Top 10 risks to DockerKit’s mitigations and implementation status.
WHY
OWASP provides the definitive risk taxonomy for container security. Documenting mitigations demonstrates compliance and identifies residual risk.
HOW
Top 10 Container Security Risks
1. D01: Insecure Container Images ✅
Risk: Using vulnerable, outdated, or malicious base images
Mitigation Implemented:
- ✅ Official Alpine Linux base images only
- ✅ Pinned specific versions (
alpine:3.19.1) - ✅ Regular security scanning with Trivy and Docker Scout
- ✅ Automated vulnerability detection in CI/CD
Best Practices:
# Good - Specific version from trusted source
FROM alpine:3.19.1
# Bad - Floating tags
FROM alpine:latest
FROM untrusted/image
2. D02: Excessive Container Privileges ✅
Risk: Containers running with unnecessary privileges
Mitigation Implemented:
- ✅ Non-root user (
dckwith UID 1000) - ✅ No sudo in production images
- ✅ No privileged operations
- ✅ Capability dropping supported
Implementation:
# Create non-root user
RUN addgroup -g 1000 dck && \
adduser -D -u 1000 -G dck dck
# Switch to non-root
USER dck
# Runtime enforcement
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE dck:minimal
3. D03: Unpatched Operating System & Kernel ✅
Risk: Known vulnerabilities in OS packages
Mitigation Implemented:
- ✅ All packages version-pinned
- ✅ Minimal package installation
- ✅ Regular rebuild triggers in CI/CD
- ✅ Automated security updates workflow
Package Management:
# Pinned versions for reproducibility
RUN apk add --no-cache \
bash=5.2.21-r0 \
curl=8.12.1-r0 \
jq=1.7.1-r0 \
&& rm -rf /var/cache/apk/*
4. D04: Exposed Secrets and Sensitive Data ✅
Risk: Hardcoded credentials, API keys, certificates
Mitigation Implemented:
- ✅ No secrets in Dockerfiles
- ✅ No environment variables with secrets
- ✅ .dockerignore excludes sensitive files
- ✅ Runtime secret injection supported
Secret Management:
# Good - Runtime injection
docker run -e API_KEY="${API_KEY}" dck:minimal
# Bad - Hardcoded in Dockerfile
ENV API_KEY="secret123" # NEVER DO THIS
5. D05: Unencrypted Network Traffic ⚠️
Risk: Container communication without TLS
Mitigation Level: Runtime Configuration
- ⚠️ TLS must be configured at runtime
- ✅ No plain HTTP endpoints exposed
- ✅ Certificate management supported
Runtime Protection:
# Use Docker networks with encryption
docker network create --opt encrypted=true secure-net
docker run --network=secure-net dck:minimal
6. D06: Unrestricted Resource Consumption ✅
Risk: Container resource exhaustion attacks
Mitigation Implemented:
- ✅ HEALTHCHECK for monitoring
- ✅ Support for resource limits
- ✅ No resource-intensive operations
Resource Limits:
docker run \
--memory=512m \
--memory-reservation=256m \
--cpus=1 \
--pids-limit=100 \
dck:minimal
7. D07: Large Attack Surface ✅
Risk: Unnecessary software increasing vulnerability exposure
Mitigation Implemented:
- ✅ Multiple image variants (minimal, distroless)
- ✅ No unnecessary packages
- ✅ Distroless option (3.26MB)
- ✅ No package managers in production variants
Image Comparison: | Variant | Size | Attack Surface | |———|——|—————-| | Original | 108MB | Standard | | Minimal | 30.4MB | Reduced | | Distroless | 3.26MB | Minimal |
8. D08: Missing Network Segmentation ⚠️
Risk: Unrestricted container-to-container communication
Mitigation Level: Runtime Configuration
- ⚠️ Network policies at orchestrator level
- ✅ No unnecessary network exposure
- ✅ Support for isolated networks
Network Isolation:
# Create isolated networks
docker network create frontend
docker network create backend
docker run --network=backend dck:minimal
9. D09: Unmonitored Container Activity ✅
Risk: No visibility into container behavior
Mitigation Implemented:
- ✅ HEALTHCHECK endpoints
- ✅ Structured logging support
- ✅ Metrics exportable
- ✅ Audit trail capability
Monitoring:
HEALTHCHECK --interval=30s --timeout=3s \
CMD dck version || exit 1
10. D10: Unsafe Defaults and Misconfigurations ✅
Risk: Insecure default settings
Mitigation Implemented:
- ✅ Secure defaults enforced
- ✅ Non-root by default
- ✅ No open ports by default
- ✅ Minimal permissions
- ✅ Documentation of secure usage
Secure Defaults:
# All secure by default
USER dck # Non-root
WORKDIR /opt/dck # Defined workspace
ENV PATH="/opt/dck:$PATH" # Controlled PATH
# No EXPOSE # No open ports
Compliance Matrix
| OWASP Risk | Severity | DCK Status | Implementation |
|---|---|---|---|
| D01: Insecure Images | Critical | ✅ Fixed | Trusted bases, scanning |
| D02: Excessive Privileges | Critical | ✅ Fixed | Non-root user |
| D03: Unpatched OS | High | ✅ Fixed | Version pinning |
| D04: Exposed Secrets | Critical | ✅ Fixed | No hardcoded secrets |
| D05: Unencrypted Traffic | High | ⚠️ Runtime | TLS configuration |
| D06: Resource Exhaustion | Medium | ✅ Fixed | Health checks, limits |
| D07: Large Attack Surface | High | ✅ Fixed | Minimal images |
| D08: Network Segmentation | Medium | ⚠️ Runtime | Network policies |
| D09: Unmonitored Activity | Medium | ✅ Fixed | Health checks, logging |
| D10: Unsafe Defaults | High | ✅ Fixed | Secure by default |
Security Scanning Commands
Vulnerability Scanning
# Trivy scan
trivy image dck:minimal
# Docker Scout
docker scout cves dck:minimal
# Snyk scan
snyk container test dck:minimal
# Grype scan
grype dck:minimal
Runtime Security
# Run with full OWASP protections
docker run \
--rm \
--read-only \
--security-opt=no-new-privileges:true \
--cap-drop=ALL \
--memory=512m \
--pids-limit=100 \
--user=1000:1000 \
dck:minimal
Continuous Security
GitHub Actions Integration
- name: Container Security Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: dck:$
severity: 'CRITICAL,HIGH'
exit-code: '1'