Questions tagged [docker]
Docker is a popular virtualization solution that provides virtualization within an operating system for reusable packages of software called containers. More information available at docker.com.
210 questions
0 votes
1 answer
46 views
Encapsulate and secure service that has access to sensitive data
I have an API Key for a service that holds sensitive data (Sick Days, Employee Home Address) that should not be exposed to other devs in my company. The API of my service will only allow a user with a ...
- 217
1 vote
1 answer
164 views
How to securely build code from the internet on my servers?
I need to create a build server which will clone code from GitHub (npm repositories) and then build an OCI image using Buildpack or Nixpack. I am currently researching how to achieve this securely ...
- 113
1 vote
0 answers
104 views
Is reducing the webserver stack from Caddy, NGINX and PHP-FPM to only Caddy and PHP-FPM a reduction in layered-security?
I have a situation where a webserver behind a network firewall is ran inside of Docker containers. It is setup in this order: Caddy webserver - acts as WAF, GEOIP block, IP blacklist, HTTP Security ...
- 7,715
1 vote
1 answer
400 views
Why are the unsafe challenges in OWASP Juice Shop a security risk in containerized environments? [duplicate]
OWASP Juice Shop is a popular tool for web security training, demos and learning. I am using the provided docker container and hosting it in a dedicated computer. However, there are certain challenges ...
- 113
2 votes
0 answers
187 views
What is the difference between enhanced container isolation projects like runq, Kata Containers, Firecracker and gVisor?
I'm diving into different solutions to use (virtual machine based) isolation for containers. I found these promising projects: runq, Kata Containers, Firecracker and gVisor. I think that runq, Kata ...
- 7,715
1 vote
1 answer
326 views
Does it matter (and go widely unnoticed) that GitLab CI+docker-executor produces world-writable files, or do "we" need to raise awareness for that? [closed]
I have a vague feeling that there is a wide spread security problem which goes unnoticed. I'm trying to find out how to check the level of relevance and awareness out there or how to maybe raise it. ...
- 11
1 vote
0 answers
389 views
Should I house my organization's root CA certificate in public github repostiory?
We have a public repository of a software that uses Docker container. Any thing that runs within the organization sees certificates signed by our org's root CA. For the container to run properly ...
- 111
1 vote
0 answers
65 views
Are libc security vulnerabilities in a Python web application actually exploitable in a private cloud environment?
We use a Python web framework and gunicornlibrary on top of Docker to power a web application with a frontend in a private cloud that can be accessed by a private network. Our security tools report ...
- 63
1 vote
1 answer
352 views
Edge browser + Docker: proxy settings for Burp Suite
This is my case: I'm trying DVWA in a Docker container localhost:4280. I want to test this webapp with Burp Suite (which listen to port 8080) and Microsoft Edge browser. I'm on Windows 11 The way to ...
- 11
0 votes
1 answer
199 views
Do I need to implement additional security measures for my self-hosted container web app?
Could you please suggest if I need to do anything else to ensure that my server is secure against the most common attacks? Currently it seems fine to me, but I would highly appreciate if someone with ...
-1 votes
1 answer
312 views
How to use `docker secret` to prevent secrets from being seen in plain text by unauthorized individuals
I am exploring how to use docker secrets, but all the secrets are visible in plain text format to anyone who can use the docker command. How do I ensure all secrets are sufficiently protected and not ...
- 317
0 votes
0 answers
232 views
Connecting Logstash To Elasticsearch via SSL (Docker Container)
My environment consists of 2 docker containers, one running Logstash and another running Elasticsearch on the SAME host & SAME docker network. I am trying to setup SSL between the 2 of them (this ...
1 vote
0 answers
899 views
I do not understand how the standard practice to pass secrets as environment variables to containers considered as safe? [duplicate]
TL;DR The container's environment variable can be queried many ways, with native docker tools or 3rd party tools. The docker admin user (or any user in the docker group) not necessary dba on a ...
- 240
0 votes
1 answer
407 views
Safe or not? Elasticsearch on localhost through Docker
I am learning to run Elasticsearch in a Docker container on a laptop. For a start, I expect running it on localhost. The laptop is connected to the Internet. Is that unsafe? I remember that ipython/...
- 103
1 vote
1 answer
407 views
Why is ip forwarding for a ECS instance being flagged as a vulnerability?
I am very new to this and was asked to address some security patches on various ec2 instances in our AWS account. Mostly this was a matter of using the Security Manager to connect to the instance and ...
- 21