Supply Chain Attack

Supply Chain Attack - Docker

Need

Ensuring secure and verifiable supply chain for Docker dependencies in docker-compose

Context

• Usage of docker-compose for managing containerized applications

Description

1. Non compliant code

services:
  app:
    image: python:3.11.5
    volumes:
      - .:/app
    working_dir: /app
    command: python app.py

This docker-compose file uses an unpinned image reference (e.g., 'python:3.11.5') for the app service. Without specifying an image digest, the integrity of the base image cannot be verified, which exposes the application to potential supply chain attacks.

2. Steps

• Pin the exact version of the base image using its digest.

• Avoid using the 'latest' tag or unverified tags.

• Use non-root users for running containers.

• Verify dependency integrity via image digests or secure registries.

• Regularly update and patch dependencies.

3. Secure code example

services:
  app:
    image: python@sha256:8a164692c20c8f51986d25c16caa6bf03bde14e4b6e6a4c06b5437d5620cc96c
    volumes:
      - .:/app
    working_dir: /app
    user: "1001"
    command: python app.py

In the secure version, the image is referenced by its digest, ensuring that the exact verified image is used. Additionally, a non-root user is specified to enhance container security.

References

• 380. Supply Chain Attack - Docker

On this page