decorative image for blog on using containers to improve php application security
March 23, 2023

Using Containers to Improve PHP Application Security

PHP Development

Maintaining PHP application security can be a daunting task, especially when you consider web applications are common targets for cybercriminals. Luckily, approaches like containerization (when done correctly) can help to decrease the attack surface of PHP applications, and, even if exploited, expose less data to bad actors. 

In this blog, we look at how teams can use containers to improve PHP application security, including why teams should consider containerizing their applications, container security best practices teams should consider, and the benefits of using trusted container images like those provided by Zend.

Back to top

Why Use Containers to Improve PHP Application Security?

By definition, container security is the process of implementing security tools and processes to provide strong information security for any container-based system or workload — including the container image, the running container, and all the steps required to create that image and get it running somewhere.

But containerizing applications, when those containers are truly isolated, can serve to improve application security. This is because containers, by virtue of their isolation, expose less of the overall application if an individual container is exploited.

It’s also important to note that while containerizing can improve PHP application security, DevOps operators must develop expertise regarding security best practices for the technologies they plan on using (e.g. Docker, Kubernetes, etc.), otherwise they can introduce new risks to their application(s).

Back to top

The Importance of Using Secure Container Images for PHP Applications

One of the most important aspects of PHP application security when using containers is ensuring the security of your base image, or golden image. Because it is used as the starting point from which you create derivative images, any security vulnerabilities or flaws found within that base image will be carried over into derivative images. 

This means that container security starts with finding trusted sources for base images. To ensure security of your base image, make sure the:

  • Image comes from a known company or open-source group
  • Image is hosted on a reputable registry
  • Source code for all components in the image is available

It’s important to note that, even when using trusted images, adding applications or making configuration changes will introduce new variables that you must take into account.

Back to top

Proactive Vulnerability Management for Containerized PHP

When bringing in external content to build your apps, it’s important to keep proactive vulnerability management in mind.

This includes things like:

  • Integrating native security tools used across an enterprise to meet or enhance existing network security policies across your container ecosystem
  • Establishing strong cloud security and application security standards
  • Identifying modified container images that break policies or documented best practices — known as container misconfigurations — to reduce the likelihood and impact of potential compromises

An effective container security program seeks to remediate vulnerabilities in real-time and reduce the attack surface before images are deployed. By building security into the container pipeline and defending your infrastructure, you can make sure your containers are reliable, scalable, and trusted.

When gathering container images, ask:

  • Are the container images signed and from trusted sources?
  • Are the runtime and operating system layers up to date?
  • How quickly and how often will the container be updated?
  • Are security risks identified, and how will they be tracked?
Back to top

Zend PHP Docker Images

Zend provides pre-built PHP Docker images for Ubuntu, CentOS, Debian, Rocky, Amazon Linux 2 (Alpine Linux coming soon) in our container registry located at, supporting all versions from PHP 7.2 up to PHP 8.3.

These base images are scanned monthly for security assessments, using modern automated pipelines comprised of best-in-class security toolchains. Once a CVE is disclosed for the PHP engine or any supported pre-compiled extensions, Zend is able to issue a new patched image within days of the official release.

While a ZendPHP license is required to access patched images of end of life PHP versions (we currently offer LTS for PHP 7.2-8.0), PHP versions that are currently supported by the community (currently PHP 8.1-8.3) are available to try for free.

Back to top

About Zend PHP LTS 

If your PHP-based projects run on a PHP version no longer supported by the community, Zend can help. With LTS from Zend, you get fully patched and supported PHP builds – giving you time to upgrade your EOL PHP on your timeline.

Image Zend PHP Version Support Chart Comparison 02-2023 8.2


Zend provides security fixes to the PHP engine and all supported extensions for PHP 7.2, PHP 7.3, PHP 7.4, and PHP 8.0 ensuring compliance to common industry standards like SOX, PCI, or HIPAA.

See LTS Options

Back to top

Configuring and Orchestrating Zend PHP Container Images

Every ZendPHP image has a user/group with lower privileges already configured:

  • User zendphp with UID 10000
  • Group zendphp with GID 10001

This default configuration ensures teams make the conscious choice to increase privileges on derivative containers only when necessary.

Note: Images for ‘php-fpm’ always run worker processes as the ‘zendphp’ user.

All images include the script, which can be invoked in Dockerfile extensions that build from ZendPHP base images.

The script uses build arguments to customize the image, including:

  • Setting up the container's system timezone, including in PHP configuration.
  • Setting up ZendPHP package repository credentials (required in order to install additional extensions).
  • Installing additional system packages.
  • Installing pre-packaged PHP extensions from the ZendPHP package repository.
  • Installing PECL extensions.
  • Installing Composer.
  • Installing ‘php-fpm’ configuration, using either a development or production profile.
  • Running a custom post-build script.
  • Setting up the container to run as the zendphp user (instead of root).

The S6-Overlay

The S6-Overlay is a very lightweight set of utilities to improve the user experience when running containerized workflows.

It is integrated by default in every base image distributed by Zend, with the features provided can be summarized as follows:

•    A simple init process which allows the end-user to execute tasks like initialization (cont-init.d), finalization (cont-finish.d) and their own services with dependencies between them  
•    The s6-overlay provides proper PID 1 functionality  
•    You'll never have zombie processes hanging around in your container, they will be properly cleaned up  
•    Multiple processes in a single container  
•    Able to operate in "The Docker Way"  
•    Distributed as a small number of .tar.xz files depending on what exact functionality you need - to keep your image's number of layers small  
•    A whole set of utilities included in s6 and s6-portable-utils. They include handy and composable utilities to manage processes spawning, permissions on files and folders, recurring ephemeral tasks, signals capturing, and etc.  
•    Log rotating out-of-the-box through logutil-service which uses s6-log under the hood  
•    Some support for Docker's USER directive, to run your whole process tree as a specific user.

Back to top

Final Thoughts

Managing cloud-native application isn’t simple. It requires a wealth of knowledge that spans many different technological domains -- including application security. 

Containers, and specifically the base images distributed by Zend, can help simplify some of the inherent complexities of container-based PHP application security. When combined with SLA-backed support delivered by Zend PHP experts, you get an easy button for keeping your PHP-based applications secure.

See Our Container Images and LTS Options

Zend PHP container images, when paired with Zend PHP LTS, make containerizing and securing your PHP-based applications easy. See our available container image and LTS options via the links below.

Visit Our Container RegistrySee LTS Options   

Additional Resources

Back to top