Docker: Best Practises

https://sysdig.com/blog/dockerfile-best-practices/

How “It works in my machine” turns “It works in my container”?

Please read the above article to avoid

“It works on my machine” turns to “it works in my container”

1. Avoid unnecessary privileges.
2. Avoid running containers as root.
3. Don’t bind to a specific UID.
4. Make executables owned by root and not writable.
5. Reduce attack surface.
6. Leverage multistage builds.
7. Use distroless images, or build your own from scratch.
8. Update your images frequently.
9. Watch out for exposed ports.
10. Prevent confidential data leaks.
11. Never put secrets or credentials in Dockerfile instructions.
12. Prefer COPY over ADD.
13. Be aware of the Docker context, and use .dockerignore.
14. Others.
15. Reduce the number of layers, and order them intelligently.
16. Add metadata and labels.
17. Leverage linters to automatize checks.
18. Scan your images locally during development.
19. Beyond image building.
20. Protect the docker socket and TCP connections.
21. Sign your images, and verify them on runtime.
22. Avoid tag mutability.
23. Don’t run your environment as root.
24. Include a health check.
25. Restrict your application capabilities.