Docker

Best practices

• Specify full version tag to allow for reproducible builds (e.g., node:17.3.0-bullseye instead of node:17, node:17-bullseye etc.)
• Don’t run app as root in container

Resources

• Best practices for writing Dockerfiles | Docker Documentation (see also Reviewing the official Dockerfile best practices: good, bad, insecure)
• Broken by default: why you should avoid most Dockerfile examples
• The worst so-called “best practice” for Docker
• Less capabilities, more security: preventing Docker escalation attacks