* [Docker Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)
* [Dockerfile Security Best Practices](https://cloudberry.engineering/article/dockerfile-security-best-practices/)
* [Top 20 Dockerfile best practices](https://sysdig.com/blog/dockerfile-best-practices/)
**Bonus1:** Do not forget to use [distroless/static:nonroot](https://github.com/GoogleContainerTools/distroless) images, if possible.
**Bonus2:** I did small search to check whether this opened before. And just found this post: [What are your Dockerfile best practices? And which ones are harder to implement?](https://www.reddit.com/r/docker/comments/m1bcv3/what_are_your_dockerfile_best_practices_and_which/) by [/u/capitangolo](https://www.reddit.com/user/capitangolo/)[OWASP® Foundation](https://owasp.org/) creates some cool [cheatsheet series](https://cheatsheetseries.owasp.org).
4 thoughts on “Docker & Dockerfile Security Cheat Sheet”
Thanks, this is a great set of bookmarks for reference.
One question – I understand */var/run/docker.sock* should never be exposed in a docker run or compose file. However, container management tools like Portainer need this to function.
So the only solution to this is to assume the additional risk and enable access?
Some plug for my own work for some practical step-by-step tutorials for devs to follow:
1. [10 best practices to containerize Node.js web applications with Docker](https://snyk.io/blog/10-best-practices-to-containerize-nodejs-web-applications-with-docker/)
2. [10 Docker Security Best Practices](https://snyk.io/blog/10-docker-image-security-best-practices/)
3. [Docker for Java developers: 5 things you need to know not to fail your security](https://snyk.io/blog/docker-for-java-developers/)