No. 5 is IMO of limited use because the base system is Debian stable (currently bookwork-slim), where freezing a particular version looks like overkill or even preventing bugfixes.
No. 6 and 7 are currently met (but may need to be checked in actual projects based on py4docker).
https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
/tmp
), so--read-only --tmpfs /tmp
–no-new-privileges
flag.--icc=false
)see OWASP