CIS Docker Benchmark (Distroless)
Target: Distroless Image | Profile: Level 1 - Container | Hardening: Production Grade
Compliance Scorecard
-
Automated Score --- 100% Verified on 6 Automated Checks
-
Manual Review --- 6
Infrastructure Audit Items
-
Hardening Failures --- 0 Requires Image Update
Automated Hardening Verified
The Distroless image satisfies all automated CIS requirements. It provides a Minimal Attack Surface by omitting unnecessary binaries and shells. Ensure the host-level Manual checks are verified.
Detailed Audit Log
1. Automated Controls (Static Image Analysis)
| Status | ID | Control Description | Severity |
|---|---|---|---|
| 4.1 | Ensure a user for the container has been created | HIGH | |
| 4.4 | Ensure images are scanned and rebuilt to include security patches | CRITICAL | |
| 4.6 | Ensure HEALTHCHECK instructions have been added to the container image | LOW | |
| 4.7 | Ensure update instructions are not used alone in the Dockerfile | HIGH | |
| 4.9 | Ensure COPY is used instead of ADD | LOW | |
| 4.10 | Ensure secrets are not stored in Dockerfiles | CRITICAL |
2. Manual / Host-Level Controls
| Status | ID | Control Description | Severity |
|---|---|---|---|
| 4.2 | Ensure that containers use only trusted base images (Manual) | HIGH | |
| 4.3 | Ensure unnecessary packages are not installed in the container (Manual) | HIGH | |
| 4.5 | Ensure Content trust for Docker is Enabled (Manual) | LOW | |
| 4.8 | Ensure setuid and setgid permissions are removed in the images (Manual) | HIGH | |
| 4.11 | Ensure only verified packages are installed (Manual) | MEDIUM | |
| 4.12 | Ensure all signed artifacts are validated (Manual) | MEDIUM |
Audit Legend
- Passed: Policy is enforced within the distroless layers.
- Failed: Violation detected (e.g., setuid permissions).
- Manual: Host-dependent check (e.g., Docker Daemon logging, Content Trust).