The Center for Internet Security (CIS) creates best practices for cyber security and defense. The CIS uses crowdsourcing to define its security recommendations. The CIS Benchmarks are among its most popular tools.
Organizations can use the CIS Benchmark for Docker to validate that their Docker containers and the Docker runtime are configured as securely as possible. There are open source and commercial tools that can automatically check your Docker environment against the recommendations defined in the CIS Benchmark for Docker to identify insecure configurations.
The CIS Benchmark for Docker provides a number of helpful configuration checks, but organizations should think of them as a starting point and go beyond the CIS checks to ensure best practices are applied. Setting resource constraints, reducing privileges, and ensuring images run in read-only mode are a few examples of additional checks you’ll want to run on your container files.
Last updated: May-30-2020