
---

## 🔒 **9. Security Best Practices**

---

### 👤 **Running as Non-root User**

Containers should avoid running as `root` for security.
🔧 Add a user inside Dockerfile:

```dockerfile
RUN adduser --disabled-password appuser
USER appuser
```

✅ Prevents privilege escalation if the container is compromised.

---

### 🛡️ **Docker Bench Security**

Tool to **audit your Docker host** against best security practices.

🔧 Run:

```bash
docker run -it --net host --pid host --cap-add audit_control \
  --security-opt apparmor=unconfined \
  --privileged \
  --volume /var/lib:/var/lib \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --volume /etc:/etc \
  docker/docker-bench-security
```

📊 Gives you a security report.

---

### ✅ **Signed Images (Content Trust)**

Docker Content Trust (DCT) ensures images are **signed and verified**.

🔒 Enable DCT:

```bash
export DOCKER_CONTENT_TRUST=1
```

> Prevents pulling unsigned/unverified images from registries.

---

### 🧬 **Image Scanning (`docker scan`)**

Find vulnerabilities in images using:

```bash
docker scan myimage
```

🛠 Powered by **Snyk** under the hood (you may need Docker Desktop or CLI plugin).

---

### 🧮 **Limiting Resource Usage**

Avoid containers hogging system resources.

```bash
docker run --memory=512m --cpus="1.0" myapp
```

| Flag       | Purpose                      |
| ---------- | ---------------------------- |
| `--memory` | Max RAM (e.g., `256m`, `2g`) |
| `--cpus`   | CPU share (e.g., `0.5`, `2`) |

---

