Best practices for container handling

The following collection of "Dos" and "Don'ts" shall help to ease the handling of containers in two dimensions - security and license compliance, the latter is currently a major challenge, since the compliance process lacks behind technology.

Like for the "traditional" development the compliance process for containers shall be fully integrated in the process of creating container layers or images. It is key to have persons in charge of compliance integrated in the process of creating the artifacts. This will save time and effort, compared to the situation when a build image or layer is transferred to the OSPO for license compliance analysis and work.

Guiding Principles

Docker File

Dos for the docker file

Don'ts for the docker file

Docker Layer

Some of best practices for docker layers have to be implemented in the docker file, which is the "make file" for docker layers and images.

Dos for the docker layer

Docker image

Dos for the docker image

Don'ts for the docker image

In general it is strongly recommended to not attempt to build or deliver for full container tarfile images. There are multiple reasons for this:


Distribution of Dockerfiles: Who is responsible for FOSS License Compliance?

Article from Till Jaeger
Published: Journal of Open Law, Technology, & Society, 12(1), pp 13 – 20 DOI: 10.5033/jolts.v12i1.147

Making compliance scalable in a container world

Article from Scott Peterson
Published: "Making compliance scalable in a container world"