Secure Development & DevSecOps

Container Image Hardening

  • May 9, 2025
  • 0

Sherlocked Security – Container Image Hardening

Minimize Attack Surface and Enforce Secure Baselines for Containerized Workloads

1. Statement of Work (SOW)

Service Name: Container Image Hardening
Client Type: Kubernetes-Driven Orgs, DevSecOps Teams, Cloud-Native Workloads
Service Model: Image Security Review + Base Image Audit + Runtime Configuration Validation
Compliance Coverage: CIS Docker/Kubernetes Benchmarks, NIST 800-190, PCI-DSS, SOC 2, ISO 27001

Assessment Types:

  • Container Image Layer Analysis
  • Base Image and Build Stage Hardening
  • Vulnerability Scanning (CVEs, malware, secrets)
  • Runtime Behavior Validation (User, Capabilities, File Access)
  • Best Practices Compliance (Multi-Stage, SBOM, Signing)

2. Our Approach

[Image Discovery] → [Layer & Base OS Analysis] → [Dependency & Binary Scan] → [Misconfig Detection] → [Runtime Risk Evaluation] → [Secure Rebuild Suggestions] → [Optional Revalidation]

3. Methodology

[Registry & Source Review] → [Dockerfile Analysis] → [Image Scan (SAST+Vuln)] → [User & Runtime Permissions Audit] → [File System & Script Inspection] → [Report Generation]

4. Deliverables to the Client

  1. Image Hardening and Security Audit Report
  2. Base Image Risk and Misconfiguration Summary
  3. CVE and Malware Scan Results (Runtime + Static)
  4. Dockerfile/Docker Build Recommendations
  5. SBOM and Software Dependency Report
  6. Secure Image Build Templates (Multi-Stage, Minimal Base)
  7. Revalidation Report (Post Fixes)

5. What We Need from You (Client Requirements)

  • Access to container images or registry (DockerHub, ECR, GCR, Artifactory, etc.)
  • Dockerfiles or build pipelines used to create images
  • Information about the runtime environment (K8s, ECS, Nomad, etc.)
  • Service-specific roles or secrets used by containers
  • Scope of critical workloads (prod, staging, dev)
  • NDA and scope confirmation

6. Tools & Technology Stack

  • Static Scanners: Trivy, Grype, Syft, Dockle
  • SBOM & Signing: Cosign, Syft, Notary, Sigstore
  • Dockerfile Linters: Hadolint, Container Structure Test
  • File & Binary Analyzers: Binwalk, ClamAV, YARA
  • Custom Scripts for Shell & Cron Audits
  • Runtime Hardening: seccomp, AppArmor, SELinux profiles

7. Engagement Lifecycle

1. Kickoff & Image Collection → 2. Image Layer Decomposition → 3. Static + Runtime Analysis → 4. Findings Report → 5. Hardened Dockerfile Suggestions → 6. Retest & Sign-off

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Full Image Decomp & Binary Analysis Each layer is analyzed down to binaries, libraries, and shell code
Base Image Origin Tracing Identifies outdated, unsigned, or unknown base image sources
Runtime Misconfig Detection Validates UID, filesystem, caps, and process behaviors
SBOM and Dependency Bill Generation Supply chain visibility and verification
Hardened Dockerfile Templates Rebuild-ready secure baselines for dev/infra teams

9. Real-World Case Studies

Crypto Mining Backdoor in Base Image

Issue: Public base image had cronjob linked to crypto wallet miner.
Impact: Containers ran background mining across nodes.
Fix: Switched to distroless base, signed image policy, and SBOM validation.

Privileged Image Running as Root

Issue: App container ran as root with full capabilities in Kubernetes cluster.
Impact: Exploitable CVE allowed host escape and root takeover.
Fix: Added non-root user, removed unneeded tools, used seccomp profile and read-only FS.

10. SOP – Standard Operating Procedure

  1. Retrieve Container Image(s) and Build Context
  2. Perform Image Decomposition (Layer by Layer)
  3. Analyze Base Image Origin, Signatures, and CVEs
  4. Scan for Malware, Secrets, Shell Scripts, and Cronjobs
  5. Audit User Privileges, File Permissions, and Binaries
  6. Review Dockerfile Against Best Practices
  7. Generate SBOM and Verify Against Allowed Packages
  8. Provide Hardened Build Templates and Report
  9. Optional Revalidation After Fixes

11. Container Image Hardening Checklist

1. Base Image Review

  • Use minimal base images (alpine, distroless, scratch)
  • Validate image source, verify signature or SHA digest
  • Avoid using latest tags in FROM statements
  • Strip unnecessary dependencies and OS packages
  • Enforce reproducible builds and image digests

2. Dockerfile Hardening

  • Implement multi-stage builds to exclude build-time dependencies
  • Use USER directive to run as non-root
  • Avoid copying sensitive files (e.g., .env, credentials)
  • Minimize RUN commands that install unverified packages
  • Use .dockerignore to avoid leaking local config, Git files, SSH keys

3. Binary & Script Analysis

  • Audit custom binaries for hardcoded secrets or debug output
  • Analyze entrypoint scripts for unsafe operations (e.g., eval, curl|bash)
  • Search for embedded cron jobs, malware indicators (YARA, ClamAV)
  • Inspect included interpreters (e.g., Python, Node) for unnecessary modules

4. Secrets & Sensitive Data

  • Scan for API keys, tokens, passwords, and private keys
  • Ensure secrets are injected at runtime, not embedded in the image
  • Use external secrets management systems (Vault, KMS, SealedSecrets)
  • Remove shell history, bashrc, SSH keys, and .git folders from images

5. Permissions & User Controls

  • Use non-root user with reduced privileges (USER in Dockerfile)
  • Drop unneeded Linux capabilities (e.g., CAP_SYS_ADMIN)
  • Mount read-only root filesystems where possible
  • Enforce seccomp and AppArmor/SELinux policies
  • Disable privilege escalation using Kubernetes PSP/OPA/Admission Controllers

6. Dependency & Vulnerability Scanning

  • Run Trivy/Grype scans for OS packages, libraries, CVEs
  • Monitor CVE feeds and enable automatic scanning in CI/CD
  • Pin versions of dependencies and avoid unverified downloads
  • Remove package managers (e.g., apk, apt) in final image stages
  • Maintain SBOM for each image and validate in pipeline

7. Build & Supply Chain Integrity

  • Sign container images using Cosign or Notary
  • Use CI/CD pipeline enforcement for SBOM + signature checks
  • Prevent usage of unsigned or third-party images in production
  • Configure admission control to block unverified or mutable image tags

8. Logging & Monitoring Readiness

  • Enable stdout/stderr logging for containerized apps
  • Avoid logging sensitive data or debug secrets
  • Integrate image scanning into CI/CD (GitHub Actions, GitLab CI, Jenkins)
  • Monitor runtime behavior for anomalies via Falco, Sysdig, or eBPF tools

9. Reporting & Secure Templates

  • Provide Dockerfile diffs with hardened instructions
  • List of removed/retained packages with justifications
  • Recommendations for runtime config (entrypoint, volume, user)
  • Hardened templates and CI/CD integration hooks for future builds
DevSecOps Maturity Assessment
CI-CD Pipeline Security (Build Test Deploy)