Container Image Security Practices

The Center for Internet Security (CIS) provides benchmarks for container images so that they can be built and deployed with security best practices. To aid in the secure configuration and operation of containerized applications, Altair complies with the CIS security guidelines described in the list below:

• Container images are based on a minimal and secure operating system image.
• All unnecessary or unused packages, libraries, and services are removed from the container image. The image includes only the necessary components required to run the application. It does not include additional tools or components that could be used for malicious purposes.
• Container images are built using trusted sources and all installed packages are signed by the package repository.
• A non-root user is set in the container and the container processes run as this user.
• Container images implement proper file permissions and ownership for all files and directories in the image.
• Unnecessary services or daemons are disabled in the container image. In addition, only the necessary ports are open.
• Secure configuration settings are implemented in the container image, including proper network configuration, user authentication, and logging.
• Container images are scanned for vulnerabilities using a reputable vulnerability scanner, and they are regularly updated and patched to address any known security vulnerabilities.