Docker Security Best Practices for Production
Running containers in production without hardening them is one of the most common ways teams introduce vulnerabilities. Docker makes deployment fast, but security doesn't come out of the box. This guide walks through the most important steps to secure your Docker workloads — whether you manage infrastructure yourself or deploy on a platform like [PandaStack](https://pandastack.io).
Why Docker Security Matters
Containers share the host kernel. A misconfigured container can expose sensitive data, allow privilege escalation, or become a pivot point for attackers. The good news: most container security issues are preventable with straightforward practices.
Step 1: Use Minimal Base Images
Start from the smallest image that satisfies your requirements.
# Avoid
FROM ubuntu:latest
# Prefer
FROM node:20-alpineAlpine-based images have fewer packages, a smaller attack surface, and faster pull times.
Step 2: Never Run Containers as Root
Add a non-root user in your Dockerfile:
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuserOn PandaStack container deployments, you can enforce this at the platform level — containers that attempt to run as root are flagged during deployment.
Step 3: Scan Images for Vulnerabilities
Before pushing to production, scan your image:
# Using Docker Scout
docker scout cves my-app:latest
# Using Trivy
trivy image my-app:latestAutomate this in your CI pipeline so vulnerable images never reach your registry.
Step 4: Pin Image Versions
Never use latest in production. Pin to a specific digest:
FROM node:20.12.0-alpine3.19@sha256:<digest>This prevents silent updates from introducing breaking changes or vulnerabilities.
Step 5: Limit Resource Usage
Prevent runaway containers from starving other workloads:
docker run --memory="512m" --cpus="0.5" my-appOn PandaStack, resource limits are configured per container deployment in the dashboard at [dashboard.pandastack.io](https://dashboard.pandastack.io).
Step 6: Use Read-Only Filesystems
Most apps don't need to write to the container filesystem:
docker run --read-only --tmpfs /tmp my-appThis prevents malware from writing executables or modifying application files.
Step 7: Drop Unnecessary Linux Capabilities
By default, Docker grants more capabilities than most apps need:
docker run --cap-drop ALL --cap-add NET_BIND_SERVICE my-appStep 8: Manage Secrets Properly
Never bake secrets into images. Pass them as environment variables from a secrets manager, or use PandaStack's built-in environment variable encryption — secrets are stored encrypted and injected at runtime, never visible in image layers.
# Deploy with encrypted env vars via PandaStack CLI
panda deploy --env DATABASE_URL=$DATABASE_URLInstall the CLI with:
npm install -g @pandastack/cliStep 9: Enable Logging and Monitoring
You can't respond to incidents you can't detect. Ship container logs to a centralized location and set up alerts for error spikes or unexpected restarts. PandaStack provides built-in monitoring and alerting for all container deployments.
Step 10: Keep the Host and Docker Daemon Updated
Container security depends on the host kernel and Docker daemon. Apply OS patches regularly, restrict Docker daemon socket access, and never expose the Docker socket to containers unless absolutely necessary.
Deploying Secure Containers on PandaStack
PandaStack's container deployment platform enforces many of these practices by default: resource limits, environment variable encryption, and deployment-time health checks. You can deploy a hardened container in minutes:
panda deploy --image my-app:1.0.0 --region us-eastSee the full documentation at [docs.pandastack.io](https://docs.pandastack.io).
Summary
Docker security is not a one-time task — it's a set of ongoing practices. Start with minimal images, run as non-root, scan for vulnerabilities, and enforce resource limits. Combined with a secure deployment platform, your containers will be production-ready.