Need

Ensuring secure and verifiable supply chain for Docker dependencies in docker-compose

Context

• Usage of docker-compose for managing containerized applications

Description

Non compliant code

        services:
  app:
    image: python:3.11.5
    volumes:
      - .:/app
    working_dir: /app
    command: python app.py
        
        

This docker-compose file uses an unpinned image reference (e.g., 'python:3.11.5') for the app service. Without specifying an image digest, the integrity of the base image cannot be verified, which exposes the application to potential supply chain attacks.

Steps

• Pin the exact version of the base image using its digest.
• Avoid using the 'latest' tag or unverified tags.
• Use non-root users for running containers.
• Verify dependency integrity via image digests or secure registries.
• Regularly update and patch dependencies.

Compliant code

        services:
  app:
    image: python@sha256:8a164692c20c8f51986d25c16caa6bf03bde14e4b6e6a4c06b5437d5620cc96c
    volumes:
      - .:/app
    working_dir: /app
    user: "1001"
    command: python app.py
        
        

In the secure version, the image is referenced by its digest, ensuring that the exact verified image is used. Additionally, a non-root user is specified to enhance container security.

References

• 380. Supply Chain Attack - Docker