What are Docker container security best practices?hard
Answer
Use minimal base images, run as a non-root user, scan images for CVEs, never bake secrets into images, and set read-only filesystems where possible.
Explanation
Key practices: USER appuser prevents root escalation. --read-only flags prevent filesystem writes. Use distroless or Alpine base images to minimize attack surface. Secrets go in environment variables at runtime (from a secrets manager) - never in the Dockerfile or image. Scan with Trivy or Snyk in CI. Set resource limits ( --memory , --cpus ) to prevent container escape through resource exhaustion.
Follow-upWhat is a container escape and how do you prevent it?