* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/)
* 5 Best Practices To Help ...

# 5 Best Practices To Help Secure Docker with Prisma Cloud

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecurity-best-practices-docker%2F)  
[](https://twitter.com/share?text=5+Best+Practices+To+Help+Secure+Docker+with+Prisma+Cloud&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecurity-best-practices-docker%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecurity-best-practices-docker%2F&title=5+Best+Practices+To+Help+Secure+Docker+with+Prisma+Cloud&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/security-best-practices-docker/&ts=markdown)  
\[\](mailto:?subject=5 Best Practices To Help Secure Docker with Prisma Cloud)  
Link copied  
By [Derek Rogerson](https://www.paloaltonetworks.com/blog/author/derek-rogerson/?ts=markdown "Posts by Derek Rogerson")  
Sep 17, 2024  
5 minutes  
[Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)  
[CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)  
[Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown)  
[Docker](https://www.paloaltonetworks.com/blog/tag/docker/?ts=markdown)  
[Partners](https://www.paloaltonetworks.com/blog/tag/partners/?ts=markdown)

*Discover best practices to help secure your Docker environment with Prisma Cloud.*

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-327812-1.png)

*The Prisma Cloud Compliance Explorer showing Docker policy compliance and checks*

Prisma Cloud can help improve the security of your [Docker](https://www.paloaltonetworks.com/cyberpedia/docker) environment. Use Prisma Cloud to scan container images for vulnerabilities and misconfigurations in the DevOps IDE, PR workflows and [CI/CD pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security) for complete protection from code to cloud.

Here are five best practices to help you secure Docker environments with Prisma Cloud.

## Best Practice \#1: Use Prisma Cloud to Help Support Docker DISA STIG Compliance

Prisma Cloud helps enable public sector users to quickly assess and control their [microservices](https://www.paloaltonetworks.com/cyberpedia/what-are-microservices) environments with Docker DISA STIG compliance, specific security checks and guidance for Docker on Linux and UNIX-based operating systems. The Defense Information Systems Agency (DISA), a DoD agency, collaborates with private industry to create Security Technical Implementation Guides (STIGs).

With Prisma Cloud, you can help ensure public sector compliance for your Docker environment using the [Docker Enterprise 2.x Linux/UNIX STIG](https://www.docker.com/blog/docker-enterprise-first-disa-stig-container-platform/), which includes configuration standards for Department of Defense IA and IA-enabled devices and systems.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-327812-2.png)
Prisma Cloud Console showing setup of DISA STIG rules and alerts, such as failing builds that allow containers to run as root (check #41)

## Best Practice \#2: Use Prisma Cloud to Protect Against Leaky Vessels Critical Vulnerabilities Affecting Docker

Four recent critical CVEs are affecting Docker. Since each [Leaky Vessel](https://www.paloaltonetworks.com/blog/prisma-cloud/leaky-vessels-vulnerabilities-container-escape/) vulnerability resides in a critical component of the [container ecosystem](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container) --- runc (container spawning), Docker (image building), Buildkit (image building), and Moby (container platform) --- the potential impact ranges from unauthorized file deletion to a complete host compromise.

Prisma Cloud identifies workloads affected by Leaky Vessels and provides simple guidance on how to remediate with Docker.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-327812-3.png)
Leaky Vessels CVE-2024-21626 critical vulnerability detected in the Prisma Cloud CVE Viewer

As a best practice, review existing Dockerfiles and stay cautious with Dockerfiles, especially those obtained from untrusted sources. Scrutinize them for suspicious commands like RUN, USER, or for misconfigured settings.

## Best Practice \#3: Use Prisma Cloud to Monitor Access Control of Existing Dockerfiles

Prisma Cloud lets you control access to Docker commands based on group membership or on a user-by-user basis. For example, after integrating [Prisma Cloud with Active Directory, OpenLDAP or SAML](https://www.paloaltonetworks.com/cyberpedia/what-is-identity-and-access-management), you just need to create a group called Dev Team. Then in the Prisma Cloud Console, you can help secure Docker by granting all users in Dev Team permission to remotely run Docker commands on hosts in the development environment but deny permission to create, start or stop containers on hosts in the production environment.

With [Prisma Cloud](https://www.paloaltonetworks.com/prisma/environments/docker), you gain better control over Docker activities and can manage rules governing Docker configurations, containers, images, nodes, plugins, services and more, to ensure your Docker environment runs the way you choose. To better understand the intended behavior of each access rule policy in Prisma Cloud Console UI, see our [list of Prisma Cloud access rules for Docker](https://docs.prismacloud.io/en/enterprise-edition/content-collections/runtime-security/runtime-security-components/rules-guide).
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-327812-4.png)
Docker compliance and governance overview within the Prisma Cloud Console

## Best Practice \#4: Use Prisma Cloud to Shift Security Left and Scan Images in the Docker Registry V2

The Docker Registry is a system for versioning, storing and distributing Docker images. You can use Prisma Cloud to [identify code risks](https://www.paloaltonetworks.com/prisma/cloud/software-composition-analysis) in the Docker Registry at the same time that developers are building and testing software.

With Prisma Cloud you can choose to be proactive and shift left by checking open-source packages and images for vulnerabilities and compliance issues across Docker Registry V2 (and GitHub, and many other repositories).
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-327812-5.png)
Prisma Cloud lets you shift security left and scan your Docker V2 registry images for vulnerabilities.

## Best Practice \#5: Use Prisma Cloud to Help You Securely Configure Your Docker Environment

Prisma Cloud alerts you when your Docker environment is configured insecurely. For instance, in addition to many other Docker security risks Prisma Cloud alerts for, the following are high-severity Docker misconfigurations that you can avoid:

* Prisma Cloud alerts you when using the --force-yes option with the APT package manager (apt-get) in Dockerfiles. This perilous configuration automatically answers "yes" to all prompts during package installation, which can lead to the embedding of malicious software or insecure versions into your Docker images.
* Prisma Cloud alerts you when the GIT\_SSL\_NO\_VERIFY environment variable is set to true within Dockerfiles, a critically insecure state. When set to true, it instructs GIT to bypass SSL certificate verification when cloning repositories or interacting with remote servers, which can lead to man-in-the-middle (MitM) attacks, cloning of malicious repositories, code alterations, or the leaking of sensitive information.
* Prisma Cloud also alerts you when employing the --nosignature option with the Red Hat Package Manager (RPM) in Dockerfiles as a substantial security risk. Turning this option on directs the RPM to bypass package signature verification during installations and can lead to malicious software or vulnerable versions being incorporated into your Docker container image.

## Docker Is Better Together with Security by Prisma Cloud

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-327812-6.png)

Palo Alto Networks is a Leader and Outperformer in the [2023 GigaOm Container Security Radar](https://start.paloaltonetworks.com/2023-gigaom-radar-for-container-security.html) with Prisma Cloud offering the strongest threat intelligence and registry scanning capabilities available for container workloads.

Don't neglect the security of your Docker environment. Use Prisma Cloud to scan container images for vulnerabilities and misconfigurations in the DevOps IDE, PR workflows and CI/CD pipeline for complete protection from code to cloud.

Learn more about securing Docker with Prisma Cloud on our [Docker environment page](https://www.paloaltonetworks.com/prisma/environments/docker).

Want to try out our industry-recognized cloud-native security solution? Get started now on a [free trial of Prisma Cloud](https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial).

*** ** * ** ***

## Related Blogs

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Shifting Security Left with Prisma Cloud and HashiCorp Packer](https://www.paloaltonetworks.com/blog/cloud-security/secure-hashicorp-packer-images/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown)

[#### Reduce Your Risk with the Kubernetes CIS Benchmark and Prisma Cloud](https://www.paloaltonetworks.com/blog/cloud-security/secure-kubernetes-cis-benchmark/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown)

[#### 4 Best Practices for Using Prisma Cloud with Alibaba Cloud](https://www.paloaltonetworks.com/blog/cloud-security/4-best-practices-for-using-prisma-cloud-with-alibaba-cloud/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### 5 Best Practices for Using Prisma Cloud with Oracle Cloud Infrastructure](https://www.paloaltonetworks.com/blog/cloud-security/security-best-practices-oracle-cloud-oci/)

### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Code to Cloud to SOC](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud-to-soc/?ts=markdown)

[#### Introducing Cortex Cloud 2.0: Smarter Cloud Security for an AI-Driven World](https://www.paloaltonetworks.com/blog/cloud-security/cloud-security-platform-cortex-cloud-2-0/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud-Native Application Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-application-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### How Auto-Remediation Shifts the Odds in Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/auto-remediation-cnapp/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language