Container sind nicht magisch sicher. Verwundbare Base-Images, Root-User, Secrets in Umgebungsvariablen – haeufige Fehler.

Image-Scanning¶

Trivy¶

trivy image myapp:latest trivy image –severity HIGH,CRITICAL nginx:latest

Sicheres Dockerfile¶

FROM node:20-alpine AS build WORKDIR /app COPY package*.json ./ RUN npm ci –only=production FROM gcr.io/distroless/nodejs20 COPY –from=build /app /app USER nonroot EXPOSE 3000 CMD [“app/server.js”]

Laufzeitsicherheit – Falco¶

Falco-Regel – Shell-Erkennung im Container¶

• rule: Shell in container condition: container and proc.name in (bash, sh, zsh) output: “Shell started in container (user=%user.name container=%container.name)” priority: WARNING

Wichtigste Erkenntnis¶

Distroless/Alpine-Images, Non-Root-User, Multi-Stage-Builds. Images scannen, Laufzeit ueberwachen.