docker-bench-security VS docker

Scanning your container images for vulnerabilities is a good approach. But this scanning is not one time job, it should be done regularly (weekly, monthly, etc.) You need to follow vulnerability reports and fix all of the vulnerabilities as soon as possible. I recommend some open-source tools that could be useful: Trivy, Docker-Bench, Grype.

For Docker configuration I have used this in the past (it utilizes the CIS Docker Benchmark): https://github.com/docker/docker-bench-security

So the main tool to scan against the CIS Docker benchmark (I'm presuming that's the one you're interested in) is https://github.com/docker/docker-bench-security .

git clone https://github.com/docker/docker-bench-security.git cd docker-bench-security sudo sh docker-bench-security.sh

when deploying images on cloud, I always run it thru "docker bench security" It helps finding potential security holes in my images.

Use Docker Bench for Security to audit your container images

Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

I run https://github.com/docker/docker-bench-security against my environment. I would determine what was non-applicable/not scored and then start with scored. Then I would do not scored. My team had made their own Dockerfiles when I started and just grabbed whatever image/version and getting things baselined was not fun. I had to do this for docker-compose and stay on version 2 yml as otherwise I had to go to swarm.

Am I better off using this container: https://hub.docker.com/_/nextcloud/

It looks like I'm not the only person who has faced this. apache-based images require buster, for instance, and some docker images that rely on Ruby face issues too (for example, I decided to try setting up Postal but it looks like it's facing the same issues).

If you look at the info on https://hub.docker.com/_/nextcloud, you'll see that you aught to be specifying at least one volume, so that you have the data you want to not disappear on restart, and can access config files.

Yes, and this is what L passed through as the env variables in the docker compose file, as the docs state: https://hub.docker.com/_/nextcloud

You can't map binaries from host to container like this. What you need is a custom Dockerfile that installs ffmpeg. https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/fpm/Dockerfile

A good example to start with is at https://github.com/nextcloud/docker/tree/master/.examples/docker-compose/insecure/postgres/apache

Nextcloud is free and open source. The easiest way to install it is via docker containers. nextcloud docker