performing-container-image-hardening

What problem does it solve?

It reduces security risk in production container images by minimizing attack surface, removing unnecessary components, and enforcing least-privilege and baseline CIS configuration controls.

Core Features & Use Cases

• Multi-stage builds for smaller, safer images: Builds dependencies in a dedicated builder stage and copies only runtime artifacts into a minimal production stage.
• Hardened runtime posture (non-root, least privilege, safer filesystem): Creates non-root users, drops Linux capabilities, and supports read-only root filesystem patterns (including Kubernetes securityContext examples).
• CIS Docker Benchmark-aligned validation: Verifies vulnerabilities and misconfiguration issues using tools like Trivy and Dockle, and checks Dockerfile anti-patterns (e.g., pinned digests, avoiding secrets, and discouraging risky commands).
• Use Case: When migrating from “fat” base images (e.g., full Python/Ubuntu) to slim/distroless variants, this helps cut image size and reduce CVE exposure while improving hardening consistency across services.

Quick Start

Run the provided agent to audit a hardened image by executing: python scripts/agent.py --image your-image:tag --dockerfile path/to/Dockerfile --output report.json