I'm just getting started with Docker, and I see that there are lots of images available at the docker hub repository. It seems like the normal way to set up a new docker container is to copy one of these images and go from there. But how do I know that these containers don't have malicious code in them, or that they don't compromise my security in some other way?
For instance but how do I know that the OS in the container isn't (for example) capturing keystrokes if I ssh into it, or hijacking system resources for some other purpose?
The images marked as "Trusted build" are built by Docker on their server from the sources given by the user. You can easily check the Dockerfile from where the image have been built to check for malicious code.
You also have the 'official' images (those that does not start with 'somthing/') that are officially supported by Docker. If you trust Docker, inc, you can trust those image.
For the third part images, not from a trusted build and not from Docker, then you can check the history with docker history <image> (after pulling it) to see how it has been built, but common sense applies. It cannot be trusted.
Docker is working of provenance, so we should soon see CA Certificates check and proof of origin. Until then, just be careful are use only trusted build that you checked or official images.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With