mfhepp / py4docker

Template for running Python 3.x shell scripts and notebooks in a Docker container for isolation, security, and portability
MIT License
2 stars 0 forks source link

Add OWASP best-practices #2

Closed mfhepp closed 1 year ago

mfhepp commented 1 year ago

https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html

  1. read-only filesystem (but we likely need /tmp), so --read-only --tmpfs /tmp
  2. drop Linux kernel capabilities
  3. Prevent adding new ones via –no-new-privileges flag.
  4. Disable inter-container communication (--icc=false)see OWASP
  5. Ensure that OS packages versions are pinned (from OWASP)
  6. Avoid the use of ADD in favor of COPY (from OWASP)
  7. Avoid curl bashing in RUN directives(from OWASP)
mfhepp commented 1 year ago