About the course
This intensive one-day masterclass focuses on the specialized domain of container security, moving beyond basic configuration to advanced supply chain protection. As organizations increasingly rely on third-party base images and automated pipelines, understanding how to verify provenance and enforce policy is critical.
We dive deep into the mechanics of Software Bill of Materials (SBOMs), image signing, and the practical application of the CIS Docker Benchmark to reduce the attack surface of your infrastructure - all of which will play a vital part in compliance with UK and EU Cybersecurity and Resilience legislation.
Participants will learn how to transition from reactive vulnerability patching to a proactive "Policy as Code" posture. By integrating tools like Docker Scout and Sigstore/cosign directly into CI/CD workflows, you will gain the skills to achieve SLSA Level 3 compliance and ensure that only verified, scanned, and authorized artifacts reach your production environment.
Instructor-led online and in-house face-to-face options are available - as part of a wider customised training programme, or as a standalone workshop, on-site at your offices or at one of many flexible meeting spaces in the UK and around the World.
-
By the end of this course, attendees will be able to:
- Hardening Dockerfiles using non-root execution, read-only filesystems, and secure secret handling.
- Implementing automated vulnerability management and remediation workflows using Docker Scout.
- Generating and analyzing SBOMs in SPDX and CycloneDX formats to track software dependencies.
- Establishing a trusted supply chain through image signing, verification, and SLSA provenance attestations.
- Auditing and benchmarking Docker configurations against the CIS Docker Benchmark.
-
This course is designed for Security Engineers, DevOps Leads, and Senior Developers tasked with securing cloud-native applications. It is ideal for professionals working in regulated industries or those aiming to implement rigorous DevSecOps practices within their CI/CD pipelines.
-
Attendees should have attended our Docker Training Course or have equivalent skills: a solid grasp of Docker fundamentals, including building images and managing containers. Familiarity with CI/CD concepts (such as GitHub Actions or GitLab CI) and basic cryptographic principles (public/private keys) is highly recommended.
-
This Docker Security course is available for private / custom delivery for your team - as an in-house face-to-face workshop at your location of choice, or as online instructor-led training via MS Teams (or your own preferred platform).
Get in touch to find out how we can deliver tailored training which focuses on your project requirements and learning goals.
-
Hardening the Container Foundation
Base Image Hygiene: Identifying and migrating to minimal footprints like Alpine and Distroless.
Immutable Tagging: Moving from semantic tags to immutable digest pinning (sha256).
Update Strategies: Patterns for automated base image patching and rebuilds.
Secure Image Engineering
Dockerfile Best Practices: Implementing the USER instruction and multi - stage builds for dependency isolation.
Filesystem Security: Configuring read - only containers and using temporary filesystems (tmpfs) for volatile data.
Secret Management: Preventing credential leakage via build - time secret mounts and environment variable avoidance.
Vulnerability Management and Transparency
Continuous Scanning: Integrated vulnerability detection with Docker Scout.
SBOM Fundamentals: Generating and utilizing Software Bill of Materials in SPDX and CycloneDX formats.
Remediation Workflows: Interpreting scan results and prioritizing fixes based on exploitability.
Supply Chain Security and Attestations
Image Signing: Using Sigstore/cosign for digital signatures and keyless signing.
Verification: Enforcing signature checks at the registry and runtime levels.
SLSA Framework: Achieving SLSA Level 3 through build provenance attestations.
Attestation Storage: Managing signatures and metadata alongside images in the registry.
Policy and Compliance
Policy as Code: Defining and enforcing security gates in CI/CD pipelines.
Registry Hardening: Access control, image lifecycle policies, and private registry security.
CIS Docker Benchmark: Auditing the host, daemon, and container configurations against industry standards.
Trusted by
