Saliha067/gist:c0eb529e01d4f23597a7993281546e5b

## gistfile1.txt
FROM python:3.9.1-alpine AS compile-image. [ 0-Multi Stage ]

LABEL description="No root user, COPY what is needed, no latest, only root users can write, multistage build"

RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
COPY requirements.txt .
RUN pip3 install -r requirements.txt

FROM python:3.9.1-alpine AS build-image. [ 1-Multi Stage ]

COPY --from=compile-image /opt/venv/ /opt/venv/. [ Multi Stage ]

ENV PATH="/opt/venv/bin:$PATH"
RUN mkdir /app
COPY api.py /app
WORKDIR /app

RUN addgroup -S user && adduser -S user -G user --no-create-home
RUN chmod -R 755 /app

USER user

ENTRYPOINT ["python3"]
CMD ["api.py"]

Ref. https://docs.docker.com/develop/develop-images/multistage-build/

## gistfile2.txt
Docker container security Policy

Reduce the attack surface, Avoid unknown public images.

Package a single app per container. Small container images. Minimize the number of layers.

Use the minimal base image: alpine, scratch, distroless images.

Ensure your application uses the most recent base image.

Multi-staged builds / Use official base images.

Apply the principle of least privilege; don’t run containers as root or in privileged mode

 Rootless. Run as a non-root user. Least privileged user

Enable the --read-only mode in docker, if it's possible.

 Don't leave sensitive information (secrets, tokens, keys, etc) in the image.

 Not mounting Host Path.

Sign and verify container images to protect them against supply chain attacks

Actively scan and fix vulnerabilities in container dependencies

Don’t hardcode secrets or credentials on container images

Use Metadata Labels for Images, such as licensing information, sources, names of authors, and relation of containers to projects or components.

Containers should not use SSH
	FROM python:3.9.1-alpine AS compile-image. [ 0-Multi Stage ]

	LABEL description="No root user, COPY what is needed, no latest, only root users can write, multistage build"

	RUN python -m venv /opt/venv
	ENV PATH="/opt/venv/bin:$PATH"
	COPY requirements.txt .
	RUN pip3 install -r requirements.txt

	FROM python:3.9.1-alpine AS build-image. [ 1-Multi Stage ]

	COPY --from=compile-image /opt/venv/ /opt/venv/. [ Multi Stage ]

	ENV PATH="/opt/venv/bin:$PATH"
	RUN mkdir /app
	COPY api.py /app
	WORKDIR /app

	RUN addgroup -S user && adduser -S user -G user --no-create-home
	RUN chmod -R 755 /app

	USER user

	ENTRYPOINT ["python3"]
	CMD ["api.py"]

	Ref. https://docs.docker.com/develop/develop-images/multistage-build/
	Docker container security Policy

	Reduce the attack surface, Avoid unknown public images.

	Package a single app per container. Small container images. Minimize the number of layers.

	Use the minimal base image: alpine, scratch, distroless images.

	Ensure your application uses the most recent base image.

	Multi-staged builds / Use official base images.

	Apply the principle of least privilege; don’t run containers as root or in privileged mode

	Rootless. Run as a non-root user. Least privileged user

	Enable the --read-only mode in docker, if it's possible.

	Don't leave sensitive information (secrets, tokens, keys, etc) in the image.

	Not mounting Host Path.

	Sign and verify container images to protect them against supply chain attacks

	Actively scan and fix vulnerabilities in container dependencies

	Don’t hardcode secrets or credentials on container images

	Use Metadata Labels for Images, such as licensing information, sources, names of authors, and relation of containers to projects or components.

	Containers should not use SSH