dockerfile
Safeguard articles tagged "dockerfile" — guides, analysis, and best practices for software supply chain and application security.
11 articles
Containerizing Node.js apps: an updated Docker best-practices guide
The official node image ships a built-in non-root user, but COPY still writes files as root by default — most Node.js Dockerfiles never actually drop privileges.
Multi-Stage Docker Builds: A Security Pattern, Not Just a Size Trick
Multi-stage builds are pitched as a way to shrink images. Their bigger payoff is security: build secrets, compilers, and toolchains that never reach production. Here is how to use them right.
Building a minimal, multi-stage, non-root Dockerfile for PHP
The official php:fpm image still runs its master process as root — a documented, still-open issue. Here's how to build a PHP Dockerfile that doesn't.
Distroless vs Alpine: Which Base Image Is More Secure?
Alpine is tiny and familiar; distroless is tinier and shell-free. The right choice depends on what you value more — debuggability or a minimal attack surface. Here is the honest tradeoff.
Docker Image Security Best Practices
Every Docker layer you ship is attack surface you have to defend. Learn how to build lean, non-root, secret-free images that survive a registry scan and a real audit.
How to Harden a Dockerfile in 10 Practical Steps
Ten concrete Dockerfile changes — digest pinning, multi-stage builds, non-root users, BuildKit secrets, SBOM attestations — that remove whole classes of container risk.
How Snyk Container's automatic base image remediation PRs...
How Snyk Container's automatic base image remediation PRs pick replacement tags, what triggers them, and what they actually change in a Dockerfile.
Docker Scratch Images: When (and When Not) to Use Them
A docker scratch image starts from nothing — no shell, no package manager, no OS layer — which makes it the smallest possible attack surface, but only for binaries built to run without one.
Docker Container Security: A Hardening Checklist
Most container breaches trace back to a handful of avoidable mistakes — root users, bloated images, exposed sockets, unscanned dependencies. This checklist closes them, image to runtime.
Node.js in Docker: Choosing and Securing Your Base Image
The Docker Node base image you pick decides your CVE count before you write a line of code. Here is how to choose between Debian, slim, and Alpine — and harden whichever you pick.
BuildKit and Buildah: Building Containers Without Giving Away the Keys
Container build tools have direct access to your source code, secrets, and registries. BuildKit and Buildah offer security features that most teams ignore. Here is what to use and why.