Monitoring the current state of vulnerabilities helps to maintain a high security level by patching and upgrading software components to avoid potential exploits. Metric Insights (MI) App images are scanned on a scheduled basis using tools like JFrog, Trivy, and OWASP Dependency-Check at every stage of development. Under the supervision of the SecOps team, identified issues are categorized and resolved.

The python:3.xx.xx-slim-bookworm image is used as the base for all required components. It is regularly checked for updates to ensure that container images are built on the most recent version. python:3.xx.xx-slim-bookworm is an official Python Docker Image based on Debian Bookworm (Debian 12), which serves as the base Operating System for Metric Insights Docker images. Metric Insights always uses the latest released version of Debian as the base for its Docker images.

By default, Docker containers run as the root user, which can pose security risks if the container is compromised. Additionally, running as root can cause permission issues when sharing folders between the host and the Docker container. Metric Insights Application Docker images are configured to run under a custom non-root user, reducing the risk of potential security breaches and permission conflicts.

The Metric Insights application exposes only the ports necessary for the app to operate.

Starting with Metric Insights v7.1.0, the application operates exclusively within the /opt/mi subfolder, with external or network-shared volumes mounted to /opt/mi/data. The rest of the file system can optionally be restricted at the Docker level by setting the containers to read-only mode.

By default, Docker containers have unlimited access to the host's physical memory and CPU. Without careful control, a misbehaving container can consume more resources than planned, causing performance bottlenecks.

The MI App supports resource limitations. By default, memory usage is capped at 90%, and all system CPUs are available. These policies can be adjusted by the customer during installation.

Secret values such as API keys, passwords, and certificates must be securely managed throughout the software development process and the app’s runtime. Exposure of secrets can be catastrophic, as unauthorized actors could use the credentials for privileged access. Metric Insights App does not contain hardcoded secrets within its component images.

Avoiding the installation of unnecessary packages reduces image complexity, dependencies, file sizes, and build times. Metric Insights App component images are built with only the required tools, avoiding extraneous packages.

1. AppArmor (Application Armor) is a Linux security module that protects the operating system and its applications from security threats. Administrators can associate an AppArmor security profile with each program. Docker expects to find an AppArmor policy loaded and enforced. Metric Insights App uses the docker-default AppArmor profile.
2. Seccomp (Secure Computing Mode) is a Linux kernel feature that enhances security by restricting the system calls a process can make. It allows a process to specify a whitelist of allowed system calls, effectively limiting its interaction with the operating system and reducing the attack surface. This is particularly useful in containerized environments, like Docker, to enforce stricter isolation and prevent potential exploits.

Docker health checks are a feature that assesses and reports the health of a running container based on the hosted application. Health checks ensure that the application running inside the container is functioning correctly. Every Metric Insights component container has an appropriate health check to ensure proper operation.

Docker Content Trust (DCT) enables the use of digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side or runtime verification of the integrity and publisher of specific image tags.

Every Metric Insights image is signed. Trust data for a tag can be viewed using the docker trust inspect command with MI DCT Server DOCKER_CONTENT_TRUST_SERVER=https://docker.metricinsights.com:4443.

Docker image history contains a plain list of instructions used to build a particular image. Every Metric Insights component Docker image includes a detailed history, which can be reviewed when needed.