Supply Chain Attack - Docker - Docker-compose

Need

Ensuring secure and verifiable supply chain for Docker dependencies in docker-compose

Context

1. Usage of docker-compose for managing containerized applications

Description

Insecure Code Example

services:
  app:
    image: python:3.11.5
    volumes:
      - .:/app
    working_dir: /app
    command: python app.py

This docker-compose file uses an unpinned image reference (e.g., 'python:3.11.5') for the app service. Without specifying an image digest, the integrity of the base image cannot be verified, which exposes the application to potential supply chain attacks.

Steps

1. Pin the exact version of the base image using its digest.
2. Avoid using the 'latest' tag or unverified tags.
3. Use non-root users for running containers.
4. Verify dependency integrity via image digests or secure registries.
5. Regularly update and patch dependencies.

Secure Code Example

services:
  app:
    image: python@sha256:8a164692c20c8f51986d25c16caa6bf03bde14e4b6e6a4c06b5437d5620cc96c
    volumes:
      - .:/app
    working_dir: /app
    user: "1001"
    command: python app.py

In the secure version, the image is referenced by its digest, ensuring that the exact verified image is used. Additionally, a non-root user is specified to enhance container security.

References

Last updated

2025/04/02