Skip to main content

Impact & Risk Analysis

  • Severity: Low
  • CIS Benchmark: CIS 4.6
  • Impact: Availability Loss. An important security control is availability. Without a HEALTHCHECK instruction, the Docker engine cannot verify if a container is still operational. A container might be running but unresponsive (e.g., deadlocked), and the engine will not know to terminate and restart it.

Common Misconfiguration

Failing to add the HEALTHCHECK instruction to Docker container images. By default, HEALTHCHECK is not set, meaning the Docker engine assumes the container is healthy as long as the process is running, even if it is stuck or erroring out.

Vulnerable Example

# Vulnerable Dockerfile
FROM node:18-alpine

WORKDIR /app
COPY . .

# Missing HEALTHCHECK instruction
# If the app hangs (infinite loop), Docker won't restart it.
CMD ["node", "server.js"]

Secure Example

# Secure Dockerfile
FROM node:18-alpine

WORKDIR /app
COPY . .

# Add the HEALTHCHECK instruction
# Check every 30s, timeout after 3s, and fail after 3 retries
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1

CMD ["node", "server.js"]

Audit Procedure

You should run the command below to ensure that Docker images have the appropriate HEALTHCHECK instruction configured: 
# Inspect the image configuration
docker inspect --format='{{ .Config.Healthcheck }}' <IMAGE_ID>
  • Result: This should return the configured health check parameters.
  • Fail: If it returns <no value> or nil, the instruction is missing.

Remediation

You should follow the Docker documentation and rebuild your container images to include the HEALTHCHECK instruction. This ensures that the Docker engine periodically checks the running container instances against that instruction to verify they are operational.