Skip to main content

Container Security Hardening Checklist

A security checklist for the container lifecycle covering minimal images, non-root runtime, vulnerability scanning, SBOMs, signing, and SLSA provenance, with controls enforced at build and admission.

Estimated Time
1 day
Type
security audit
Category
Containers
Steps
12

When to Use This Checklist

Use this when containerizing workloads or auditing an existing container estate for security. It covers the full lifecycle: how images are built, how they are stored and signed, and how they run. It applies to any orchestrator, though several items integrate cleanly with Kubernetes admission control.

Containers concentrate supply-chain and runtime risk, so this checklist deliberately spans build, registry, and runtime rather than runtime alone.

How to Use This Checklist

Work through it in lifecycle order: image, pipeline, runtime. Start by shrinking the attack surface with minimal base images and non-root, read-only execution. Then secure the supply chain with scanning, SBOMs, and signing enforced at admission so unsigned or vulnerable images cannot run.

Treat the build-time items as blocking in CI; failing a build on a critical vulnerability is cheaper than patching production. The runtime detection items are valuable but secondary to getting the image and pipeline right.

What Good Looks Like

A hardened estate ships minimal, digest-pinned images that run as non-root with a read-only filesystem and dropped capabilities. Every image is scanned in CI, carries an SBOM, and is signed; admission control rejects anything unsigned or critically vulnerable. Secrets are injected at runtime, never baked in. Registry access is least-privilege with immutable tags, and the build pipeline produces verifiable SLSA provenance.

Common Pitfalls

The most common pitfall is running containers as root with a writable filesystem, which turns a contained bug into host risk. Baking secrets or credentials into image layers is another, since layers are easy to extract. Scanning images but not blocking on findings makes the scan theater. Using mutable tags like latest means you cannot prove what is running. Finally, never rebuilding images leaves known base-image vulnerabilities in production indefinitely.

Related Resources

Use the container image hardening guide and the CNCF cloud-native security whitepaper as the backbone, with CycloneDX for SBOMs and Sigstore for signing. Kubernetes Pod Security Standards enforce many of these controls at admission.