Podman Security

Control	Status	Notes
Rootless mode enabled	☐	Default for all workloads
Podman socket protected	☐	Not mounted in containers
Trusted registries configured	☐	registries.conf
Image signature verification	☐	policy.json configured
Image versions pinned	☐	No `latest` tags
Vulnerability scanning	☐	Trivy in CI/CD
Running as non-root	☐	All containers
Capabilities dropped	☐	Drop ALL, add minimum
Read-only root filesystem	☐	Where possible
SELinux enabled	☐	Proper labels on volumes
Seccomp enabled	☐	Default or custom
Resource limits set	☐	Memory, CPU, PIDs
Logging configured	☐	json-file with rotation
Unused images cleaned	☐	Regular pruning

¶ Podman Security & Hardening