Website-Pflichtencheckby Jurono
SecurityHostingTechnicalMaintenanceWebsite

Your Docker Container Works. But Is It Secure?

A practical security check for Docker-based websites, SaaS projects, and agency deployments.

By Jurono
Updated: July 8, 2026

A Docker container that starts successfully is not automatically a secure container.

That is the uncomfortable part. Docker makes deployments more reproducible, portable, and manageable. For SaaS teams, agencies, freelancers, and website owners, that is a real advantage. But Docker does not magically remove security work. It moves part of that work into another layer.

So the real question is not: Is the website running? The better question is: If someone gets access to this container, how much damage could they do?

The common mistake

Many teams treat Docker like packaging: put the app inside, build an image, start a container, ship it. That may be good enough for a quick internal test. It is not enough for a production website with forms, logins, customer data, payment flows, or analytics.

OWASP describes Docker as a technology that can improve security when used correctly, but also warns that misconfigurations can lower security or introduce new risks. Critical examples include exposed Docker sockets, root processes inside containers, excessive capabilities, missing updates, weak secret handling, and missing image scanning (OWASP Docker Security Cheat Sheet).

The problem is rarely Docker itself. The problem is the setup that was created under launch pressure and then never reviewed again.

Quick self-check: Docker red flags

If several of these apply, the deployment deserves a closer look:

  • The container runs as root although the application does not require it.
  • /var/run/docker.sock is mounted into a container.
  • Secrets live in .env files, build args, images, or CI/CD logs.
  • The base image is unpinned or has not been updated for months.
  • Images are not scanned regularly for known vulnerabilities.
  • A container runs with privileged: true.
  • More ports are published than the application actually needs.
  • There are no resource limits for CPU, memory, or process count.
  • Volumes are poorly documented and nobody knows exactly where persistent data lives.
  • There is no documented restore test for the full stack.

None of these points automatically means the system is compromised. But each one increases the attack surface or makes recovery harder when something goes wrong.

Running as root is convenient — and often unnecessary

A common mistake is running the application inside the container as the root user because the image was built that way or because it made the first deployment easier. OWASP recommends running containers with an unprivileged user. This can be configured in the Dockerfile with USER or at runtime with the relevant Docker options (OWASP Docker Security Cheat Sheet).

This is not a silver bullet. But it is an important baseline: if an attacker can execute code through the application, that code should not automatically run with unnecessary privileges. For some environments, Rootless Docker can also be relevant. Docker describes rootless mode as a way to run both the Docker daemon and containers as a non-root user to reduce risks in the daemon and container runtime area (Docker Docs: Rootless mode).

The Docker socket is not a harmless shortcut

The Docker socket /var/run/docker.sock is especially sensitive. Whoever can access it can interact with the Docker API and trigger highly privileged actions on the host. OWASP states clearly that access to the socket is effectively close to unrestricted root access on the host (OWASP Docker Security Cheat Sheet).

Still, the socket appears in many setups: management UIs, deployment tools, monitoring containers, or automation scripts. That is not always wrong. But it should never be accidental. If a container needs access to the Docker socket, the team should know why that access is necessary, which alternatives were checked, who can access the interface and how the component is maintained.

A Docker socket mount is not a tiny implementation detail. It is an architectural decision.

Image scanning is no longer optional hygiene

Container images contain operating system packages, runtimes, and application dependencies. Those components can have known vulnerabilities. Docker Scout analyzes images, creates a Software Bill of Materials (SBOM), and matches included components against a vulnerability database (Docker Docs: Docker Scout).

For smaller teams, this does not mean every CVE should trigger panic. Scanners can be noisy. What matters is a practical process: scan images regularly, prioritize critical findings, update base images deliberately, test updates and document accepted risks.

Secrets do not belong in the image

Another classic issue: API keys, database passwords, or tokens end up in the build process, .env files, CI logs, or even the image itself. That is dangerous because images are copied, cached, pushed, and stored in registries. Once a secret is part of an image layer, removing it cleanly can be harder than expected.

A practical minimum standard: No secrets in the Dockerfile, no production secrets as normal build args, do not commit .env files, review CI/CD logs, provide secrets through hosting environment variables, a secret manager, Docker Secrets or comparable mechanisms, and rotate secrets after vendor or team changes.

What Website-Pflichtencheck would inspect

A Docker security check does not need to be an abstract enterprise audit. For many websites, a practical look at the real deployment is much more valuable:

  • Does the application run with unnecessary root privileges?
  • Are Dockerfile and Compose files understandable and maintainable?
  • Are dangerous mounts like the Docker socket used?
  • Are ports, networks, and volumes configured deliberately?
  • Are health checks, restart rules, and resource limits defined?
  • Are images scanned regularly?
  • Are base images, runtimes, and dependencies maintained?
  • Are secrets separated from the image?
  • Is there documentation for rebuilding the website from repository and backup?
  • Is it clear who has access during an incident?

The goal is not to make every project more complicated. The goal is to avoid expensive surprises.

Conclusion: a running container is not proof of security

Docker makes deployments easier. But a container that starts proves only one thing: it starts.

It does not prove that privileges are minimal. It does not prove that secrets are handled cleanly. It does not prove that the image is up to date. And it does not prove that the project can be restored quickly after an incident.

If your web project runs on Docker and nobody can confidently answer the questions above, a technical check is useful. Not as a panic measure, but as a reality check. Website-Pflichtencheck can help make those risks visible, document technical weaknesses, and prioritize concrete next steps before a small deployment detail becomes an expensive incident.

Jurono logo

Jurono

Technical website audits, website fixes, and AI code rescue for small businesses, practices, law firms, and founders in Germany.

Get our free security checklist before you go.

Download free PDF

Matching offers

Move forward directly

Based on the topics in this article — without a long search.

Pflichtencheck Pro

When the website matters, but nobody knows which technical required signals, risks, and fixes actually have priority.

549

Audit, assessment, and concrete action plan within 3-5 business days.

  • Everything from the Quick Scan, assessed and documented in more depth
  • Concrete findings for cookie, tracking, and external service signals
  • Visible required areas checked technically, without legal advice
Request Pflichtencheck Pro

Website Protection & Maintenance

For small businesses without an internal web team that need ongoing technical calm instead of occasional emergencies.

279/month

Monthly technical support after a short onboarding check.

  • Updates and backups supported in a controlled way depending on system access
  • Monthly short check for new technical findings
  • Up to 90 minutes of small changes or fixes per month
Secure Website Protection & Maintenance

Website Quick Scan

When nobody is sure which scripts, cookie signals, or technical risks are currently running on the site.

249

Technical first assessment and clear priorities within two business days.

  • Quickly see whether tracking, cookies, external services, or HTTPS look suspicious
  • Mobile, load time, and technical issues explained in plain language
  • The most important points in a short priority list
Start Website Quick Scan

Get clarity before you commit to fixes.

Start with a technical check. If the findings are minor, you can stop there, hand the report to your existing team, or book targeted fixes later.

Technical audit and implementation, not legal advice. I check visible signals, integrations, and delivery issues; legal texts and binding legal assessments remain the work of lawyers or privacy consultants.

Your Docker Container Works. But Is It Secure?