You thought you figured out how to build your Node.js web applications with Docker? Chances are, you're probably missing out on a lot! Many articles on this topic have been written, yet sadly, without thoughtful consideration of security and production best practices for building Node.js Docker images. In this session, we run through step-by-step production-grade guidelines for building optimized and secure Node.js Docker images by understanding the pitfalls and insecurities with every Dockerfile directive and then fixing it. We will also be hacking a live running Node.js Docker container and demonstrate several vectors of attacks. Join in and master the Node.js best practices for Docker-based applications.

1. Master production-grade best practices
to build your Node.js Docker images
Liran Tal
Snyk

2. @liran_tal
“87% of developers
go to sleep upset
because of terrible
Node.js Docker images”
- Anonymous

3. @liran_tal
FROM node
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
“it works”

4. @liran_tal
FROM node
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
$ docker build . -t nodejs-tutorial
$ docker run -p 3000:3000 nodejs-tutorial
RUN npm install

5. @liran_tal
FROM node
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
No reproducible builds
▶

6. @liran_tal
FROM node
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
Large software footprint
▶

7. @liran_tal
FROM node
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
Sensitive Data Exposure
▶

8. @liran_tal
FROM node
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
Unneeded dependencies
▶

9. @liran_tal
FROM node
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
No graceful shutdown
▶

10. Liran Tal
@liran_tal
Developer Advocate @Snyk
Node.js Ecosystem Security
working group
OWASP Project Lead
GitHub Star

11. @liran_tal
Docker Images Best Practices

12. @liran_tal
https://snyk.io/blog

13. @liran_tal
Docker Images Best Practices
Vulnerabilities at the heart of
developer tooling

14. @liran_tal
Attacking the heart of
developer tooling
// April 15, 2021
Codecov is a code quality tool
Disclosing a compromised artifact used in CI

15. @liran_tal
Attacking the heart of
developer tooling
// April 15, 2021
“Security response professionals are scrambling to measure the fallout from a
software supply chain compromise of Codecov Bash Uploader that went
undetected since January and exposed sensitive secrets like tokens, keys and
credentials from organizations around the world.”
// SecurityWeek.com

16. @liran_tal
Attacking the heart of
developer tooling
How did Codecov learn of Bash Uploader incident?
shasum,
4 months later,
by a community member
// April 15, 2021

17. @liran_tal
Attacking the heart of
developer tooling
// April 15, 2021
source: https://www.bleepingcomputer.com/news/security/codecov-hackers-gained-access-to-mondaycom-source-code

18. @liran_tal
Use explicit and deterministic Docker
base image tags

19. @liran_tal
FROM node
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
▶

20. @liran_tal
FROM node:latest
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
What image are you pulling?
▶

21. @liran_tal
FROM node:latest
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
No reproducible builds
There’s a reason we use lockfiles,
Treat your container images the same
▶

22. @liran_tal
FROM node:latest
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
Large software footprint
More software == more software risk
▶

23. @liran_tal

24. @liran_tal
FROM node@sha256:b2da3316ac
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
✔ Reproducible builds
☹ Unmaintainable hash
▶

25. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"
✔ Reproducible builds
✔ Maintainable hash
▶

26. @liran_tal
Optimize Node.js tooling for production

27. @liran_tal
FROM node
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN NODE_ENV=production npm install
CMD "npm" "start"
▶

28. @liran_tal

29. @liran_tal

30. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD "npm" "start"
✔ Frameworks and Libraries
are optimized

31. @liran_tal
Don’t run containers as root

32. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD "npm" "start"
Which user owns this process?
▶

33. @liran_tal
const child_process = require('child_process');
child_process.exec(cmd);
What if cmd is user controlled?

34. @liran_tal
const PDFImageLib = require("pdf-image").PDFImage;
const pdfData = new PDFImageLib(pdfFilePath);
npm install pdf-image

35. @liran_tal
const PDFImageLib = require("pdf-image").PDFImage;
const pdfData = new PDFImageLib(pdfFilePath);
What if pdfFilePath is user controlled?

36. @liran_tal
const PDFImageLib = require("pdf-image").PDFImage;
const pdfData = new PDFImageLib("asd.pdf"; touch /tmp/hacked"");
Like this ☝

37. @liran_tal
const PDFImageLib = require("pdf-image").PDFImage;
const pdfData = new PDFImageLib("asd.pdf"; touch /tmp/hacked"");

38. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
USER node
CMD "npm" "start"
Drop privileges before executing
▶

39. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
USER node
CMD "npm" "start"
Drop privileges before executing
But what about the files we copied?
▶

40. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY --chown=node:node . /usr/src/app
RUN npm ci --only=production
USER node
CMD "npm" "start"
✔ Drop privileges before executing
✔ Preserve proper permissions

41. @liran_tal
Terminate Node.js apps gracefully

42. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD "npm" "start"
▶

43. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD "npm" "start"
▶

44. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD "npm" "start"
CMD ["yarn", "start"]
▶

45. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD "npm" "start"
CMD ["yarn", "start"]
CMD “node” “server.js”
▶

46. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD "npm" "start"
CMD ["yarn", "start"]
CMD “node” “server.js”
CMD “start-app.sh”
▶

47. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD "npm" "start"
CMD ["yarn", "start"]
CMD “node” “server.js”
CMD “start-app.sh”
▶

48. @liran_tal
container
orchestration
engines
SIGKILL

49. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD "npm" "start"
▶
Who says npm forwards SIG* to your
Node.js process?

50. @liran_tal
process.on('SIGHUP', function handle(signal) {
console.log(`*^!@4=> Received event: ${signal}`)
});
1
$ docker kill --signal=SIGHUP quizzical_mendel
2
$ docker run
3

51. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD "npm" "start"
CMD "node" "start"
▶
Do you know what this shellform
notation actually means?

52. @liran_tal
root@bd200413173f:/usr/src/app# ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4280 764 ? Ss 07:42 0:00 /bin/sh -c "node" "server.js"
root 8 0.4 1.9 599108 39280 ? Sl 07:43 0:00 node server.js
root 15 0.8 0.1 18188 3228 pts/0 Ss 07:44 0:00 /bin/bash
root 24 0.0 0.1 36636 2800 pts/0 R+ 07:44 0:00 ps -aux
▶
PID who dis?

53. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD "npm" "start"
CMD "node" "start"
CMD ["node", "start"]
▶
Let’s try with execform

54. @liran_tal
“Node.js was not designed to run as PID 1 which leads to
unexpected behaviour when running inside of Docker.
For example, a Node.js process running as PID 1 will not
respond to SIGINT (CTRL-C) and similar signals”
- Node.js Docker working group
recommendations, [source].

55. @liran_tal
FROM node:lts-alpine@sha256:b2da3316ac
RUN apk add dumb-init
ENV NODE_ENV production
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm ci --only=production
CMD ["dumb-init", "node", "server.js"]
▶
Lightweight init system: dumb-init
▶

56. @liran_tal
Gracefully terminate applications means
you need to clean up resources, and other chores

57. @liran_tal
async function closeGracefully(signal) {
console.log(`*^!@4=> Terminating: ${signal}`)
await fastify.close()
// await db.close() if we have a db connection
process.exit()
}
process.on('SIGINT', closeGracefully)
process.on('SIGTERM', closeGracefully)
▶

58. @liran_tal
Y U No Fix Your
Vulnerable Node.js Docker Images ?

59. @liran_tal
$ docker scan node:14.10.1
✗ High severity vulnerability found in imagemagick/libmagickcore-6.q16-3
Description: XML Injection
Info: https://snyk.io/vuln/SNYK-DEBIAN9-IMAGEMAGICK-1049975
Introduced through: imagemagick@8:6.9.7.4+dfsg-11+deb9u10
From: imagemagick@8:6.9.7.4+dfsg-11+deb9u10 and 24 more…
Image layer: Introduced by your base image (node:14.10.1)
Fixed in: 8:6.9.7.4+dfsg-11+deb9u11
▶

60. @liran_tal
$ docker scan node:14.10.1
✗ High severity vulnerability found in imagemagick/libmagickcore-6.q16-3
Description: XML Injection
Info: https://snyk.io/vuln/SNYK-DEBIAN9-IMAGEMAGICK-1049975
Introduced through: imagemagick@8:6.9.7.4+dfsg-11+deb9u10
From: imagemagick@8:6.9.7.4+dfsg-11+deb9u10 and 24 more…
Image layer: Introduced by your base image (node:14.10.1)
Fixed in: 8:6.9.7.4+dfsg-11+deb9u11
▶

61. @liran_tal
$ docker scan node:14.10.1
✗ High severity vulnerability found in imagemagick/libmagickcore-6.q16-3
Description: XML Injection
Info: https://snyk.io/vuln/SNYK-DEBIAN9-IMAGEMAGICK-1049975
Introduced through: imagemagick@8:6.9.7.4+dfsg-11+deb9u10
From: imagemagick@8:6.9.7.4+dfsg-11+deb9u10 and 24 more…
Image layer: Introduced by your base image (node:14.10.1)
Fixed in: 8:6.9.7.4+dfsg-11+deb9u11
▶

62. @liran_tal
$ docker scan node:14.10.1
✗ High severity vulnerability found in imagemagick/libmagickcore-6.q16-3
Description: XML Injection
Info: https://snyk.io/vuln/SNYK-DEBIAN9-IMAGEMAGICK-1049975
Introduced through: imagemagick@8:6.9.7.4+dfsg-11+deb9u10
From: imagemagick@8:6.9.7.4+dfsg-11+deb9u10 and 24 more…
Image layer: Introduced by your base image (node:14.10.1)
Fixed in: 8:6.9.7.4+dfsg-11+deb9u11
Tested 412 dependencies for known issues, found 624 issues.
▶

63. @liran_tal
What’s the worst that can happen?
🙃
$ docker scan node:14.10.1
Tested 412 dependencies for known issues, found 624 issues.

64. @liran_tal
$ docker scan node:14.10.1
✗ High severity vulnerability found in imagemagick/libmagickcore-6.q16-3
Description: XML Injection
Info: https://snyk.io/vuln/SNYK-DEBIAN9-IMAGEMAGICK-1049975
Introduced through: imagemagick@8:6.9.7.4+dfsg-11+deb9u10
From: imagemagick@8:6.9.7.4+dfsg-11+deb9u10 and 24 more…
Image layer: Introduced by your base image (node:14.10.1)
Fixed in: 8:6.9.7.4+dfsg-11+deb9u11
Tested 412 dependencies for known issues, found 624 issues.
▶
What now? 😕󰤇

65. @liran_tal
$ docker scan node:14.10.1 --file=Dockerfile
▶

66. @liran_tal
$ docker scan node:14.10.1 --file=Dockerfile
Tested 412 dependencies for known issues, found 624 issues.
Base Image Vulnerabilities Severity
node:14.10.1 624 93 high, 77 medium, 454 low
Recommendations for base image upgrade:
node:14.16 561 63 high, 57 medium, 441 low
node:14.16-buster-slim 58 10 high, 5 medium, 43 low
node:14.16.0-slim 75 18 high, 8 medium, 49 low
node:15-stretch-slim 75 18 high, 8 medium, 49 low
node:15.10-buster 325 38 high, 46 medium, 241 low
▶

67. @liran_tal
$ docker scan node:14.10.1
✗ High severity vulnerability found in imagemagick/libmagickcore-6.q16-3
Description: XML Injection
Info: https://snyk.io/vuln/SNYK-DEBIAN9-IMAGEMAGICK-1049975
Introduced through: imagemagick@8:6.9.7.4+dfsg-11+deb9u10
From: imagemagick@8:6.9.7.4+dfsg-11+deb9u10 and 24 more…
Image layer: Introduced by your base image (node:14.10.1)
Fixed in: 8:6.9.7.4+dfsg-11+deb9u11
Tested 412 dependencies for known issues, found 624 issues.
▶
What now? 😕󰤇

68. @liran_tal
$ docker scan node:14.10.1 --file=Dockerfile
▶

69. @liran_tal
$ docker scan node:14.10.1 --file=Dockerfile
Tested 412 dependencies for known issues, found 624 issues.
Base Image Vulnerabilities Severity
node:14.10.1 624 93 high, 77 medium, 454 low
Recommendations for base image upgrade:
node:14.16 561 63 high, 57 medium, 441 low
node:14.16-buster-slim 58 10 high, 5 medium, 43 low
node:14.16.0-slim 75 18 high, 8 medium, 49 low
node:15-stretch-slim 75 18 high, 8 medium, 49 low
node:15.10-buster 325 38 high, 46 medium, 241 low
▶

70. @liran_tal
▶

71. @liran_tal
Want more?

72. @liran_tal
Level up your Node.js container-fu
Follow best practices for building containers securely
source: https://snyk.io/blog/10-best-practices-to-containerize-nodejs-web-applications-with-docker/

73. @liran_tal
Own your Node.js containers security
Scan and monitor your Code repository & Docker images

74. @liran_tal
May the container gods
keep you safe 🙏
Liran Tal
liran_tal