Container Hardening Guide

This guide shows you a possible workflow for your container hardening. We assume that you are using DevGuard for vulnerability scanning and management, but the general principles can be applied with other tools as well.

Definition of Container Hardening

Container Hardening is the process of securing a Open Container Initiative (OCI) container image by reducing its attack surface, removing unnecessary components, and applying security best practices. The goal is to minimize vulnerabilities and enhance the overall security posture of containerized applications.

A hardened container image is an OCI-compliant image that has been optimized for security and made compliant with the following requirements (specified in detail in the guide):

• Minimalism: The image contains only the essential components required for the application to run, reducing the potential attack surface.
• CVE-Transparency: All components in the image are regularly scanned for known vulnerabilities (CVEs) using tools like DevGuard, and the current status is made available transparently (via attestations).
• CVE-Handling: Vulnerabilities are addressed and assessed according to a defined process, which may include removing components, updating components, applying patches, or accepting risks.
• Least-privilege: The image is configured to run with the least privileges necessary, avoiding running as root and using read-only file systems where possible.

A hardened container runtime environment is a runtime environment that enforces security policies and best practices for running containerized applications, such as:

• Running containers with least privilege (non-root user).
• Using read-only file systems.
• Restricting Linux capabilities to the minimum required.
• Implementing network segmentation and traffic rules.
• Verifying container images before deployment.

Scope

This guide focuses on a generally applicable container hardening process for OCI-compliant container images. Next to the optimized image it is crucial to run the container in a hardened runtime environment. Aspects of the runtime environment are covered in case of infrastructure-as-code (IaC) approach and respective scanning, but are not the main focus of this guide.

References

Please note the following references that were used to create this guide and which can be used for further reading:

• Container Hardening Process Guide (Iron Bank), Defense Information Systems Agency (DISA) for Department of Defense (DoD), 2022, accessed 04.09.25
• BSI IT-Grundschutzbaustein SYS.1.6 Containerisierung, Bundesamt für Sicherheit in der Informationstechnik (BSI), 2022, accessed 04.09.25
• NIST SP 800-190 Application Container Security Guide, National Institute of Standards and Technology (NIST), 2017, accessed 04.09.25
• NSA & CISA Kubernetes Hardening Guide, National Security Agency (NSA) & Cybersecurity and Infrastructure Security Agency (CISA), 2022, accessed 04.09.25