From 17d9b1dc4998883eb66114248b01c37ca8c09b8d Mon Sep 17 00:00:00 2001
From: grok <grok@mymx.me>
Date: Sun, 31 Aug 2025 22:56:46 +0200
Subject: [PATCH] Add Docker cheatsheet with security focus

---
 docker-cheatsheet.md | 80 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 docker-cheatsheet.md

diff --git a/docker-cheatsheet.md b/docker-cheatsheet.md
new file mode 100644
index 0000000..2e2c6c3
--- /dev/null
+++ b/docker-cheatsheet.md
@@ -0,0 +1,80 @@
+# Docker Cheatsheet
+
+## Security First Notes
+- Always run containers with least privilege: Use --user for non-root.
+- Scan images for vulnerabilities: Use tools like Trivy or Docker Scout.
+- Avoid hardcoded secrets: Use Docker secrets or environment variables securely.
+- Enable Docker Content Trust: `export DOCKER_CONTENT_TRUST=1`
+- Assume hostile environment: Validate all inputs and use secure defaults.
+
+## Installation (Debian)
+```bash
+sudo apt update
+sudo apt install docker.io
+sudo usermod -aG docker $USER
+newgrp docker
+```
+
+## Basic Commands
+- Version: `docker --version`
+- Info: `docker info`
+- Login: `docker login`
+
+## Images
+- List images: `docker images` or `docker image ls`
+- Pull image: `docker pull <image>`
+- Build image: `docker build -t <tag> .`
+- Remove image: `docker rmi <image>`
+- Tag image: `docker tag <source> <target>`
+- Save image: `docker save -o <file.tar> <image>`
+- Load image: `docker load -i <file.tar>`
+
+## Containers
+- Run container: `docker run -d --name <name> <image>`
+- Interactive run: `docker run -it <image> /bin/bash`
+- List running: `docker ps`
+- List all: `docker ps -a`
+- Stop: `docker stop <container>`
+- Start: `docker start <container>`
+- Restart: `docker restart <container>`
+- Remove: `docker rm <container>`
+- Logs: `docker logs <container>`
+- Exec into: `docker exec -it <container> bash`
+- Stats: `docker stats`
+
+## Volumes
+- Create volume: `docker volume create <name>`
+- List volumes: `docker volume ls`
+- Inspect: `docker volume inspect <name>`
+- Remove: `docker volume rm <name>`
+
+## Networks
+- List networks: `docker network ls`
+- Create network: `docker network create <name>`
+- Connect: `docker network connect <network> <container>`
+- Disconnect: `docker network disconnect <network> <container>`
+- Inspect: `docker network inspect <network>`
+
+## Docker Compose
+- Up: `docker-compose up -d`
+- Down: `docker-compose down`
+- Build: `docker-compose build`
+- Logs: `docker-compose logs`
+- PS: `docker-compose ps`
+
+## Cleanup
+- Prune containers: `docker container prune`
+- Prune images: `docker image prune`
+- Prune volumes: `docker volume prune`
+- Prune networks: `docker network prune`
+- Prune system: `docker system prune -a -f`
+
+## Advanced/Security
+- Run as non-root: `docker run -u $(id -u):$(id -g) <image>`
+- Security options: `docker run --security-opt no-new-privileges <image>`
+- Limit resources: `docker run --cpus=1 --memory=512m <image>`
+- Scan for vulnerabilities: Install trivy and run `trivy image <image>`
+- Content trust: `docker trust sign <image>`
+- Use minimal base images: Prefer alpine or distroless for smaller attack surface.
+
+This cheatsheet prioritizes security and efficiency. For critical systems, perform additional penetration testing and use tools like Docker Bench for Security.
\ No newline at end of file