Docker & Containers

Containers that run as root give any code execution vulnerability immediate root access to the container — and potentially the host.

Using FROM image:latest means a new pull can silently change your base image, breaking reproducibility and potentially introducing vulnerabilities.

Secrets added via ENV, ARG, or COPY .env in a Dockerfile are baked into the image layers and readable by anyone who pulls the image.

EXPOSE-ing ports your application doesn't actually use increases the attack surface without any benefit.

Without a HEALTHCHECK instruction, Docker and orchestrators can't detect when your container is running but broken — routing traffic to a dead app.