Docker Security Dispatch — Issue 1: Docker Turns 13 🎂
The first issue of Docker Security Dispatch: Docker's 13th birthday, the launch of Black Forest Shadow, a workshop at Rabobank, a JavaPro article, the best Docker book quarter in years, and what's next at JCON.
Welcome to the first issue of Docker Security Dispatch. This newsletter covers Docker security, container supply chains, and the community around them. March was a busy month, so there's a lot to cover in this first issue.
🎂 Docker Turns 13
Docker turned 13 on March 20, 2026. Thirteen years since Solomon Hykes demoed docker run at PyCon.
I published my second book on Friday, March 13th—Docker's birthday, and a Friday the 13th. I couldn't resist.
Black Forest Shadow: A Dark Fantasy Guide to Docker and Kubernetes Security grew out of the Advent of Docker Security series I published in December 2025—24 daily posts set in the Black Forest of 1865, where shadow creatures called CVEs were spreading through villages. After the series ended, I wrote seven more chapters, compiled the whole thing, and turned it into a book.
Each chapter maps to a real security technique: CVE triage, SBOM generation, OCI 1.1 attestations, vulnerability scanning, container hardening, runtime security with Falco, lateral movement prevention. Gord, Rothütle, Jack, and Evie are also the Docker Commandos from the workshop series. The book is their origin story.
Where to get it:
- DockerSecurity.io — PDF, ePub, and print
- Amazon
- Thalia and Hugendubel for DACH print
🎖️ Docker Commandos at Rabobank
On March 27, I delivered Docker Commandos v1.5 at Rabobank in Utrecht, as part of their Docker Champions program. About 20 people attended.
Docker Commandos is a workshop where 10 fictional commandos, each paired with a Docker security command, guide participants through a mission to defend Asgard from CVE monsters. v1.5 covers the full supply-chain pipeline: from docker init to cryptographic image signing with Cosign and zero-day runtime defense. Two new commandos join in this version.
The full workshop materials:
Docker Commandos
The full workshop: 10 commandos, 10 Docker security commands, all exercises and mission briefings. Free.
dockersecurity.io
Docker Commandos v1.5: Asgard Mission
Hands-on workshop materials for the 10 Docker Commandos at Rabobank, covering SBOM generation, CVE scanning, hardened images, VEX exemptions, Docker Bake, Cosign signing, and zero-day defense.
dockersecurity.io
📰 JavaPro: "10 Docker Commandos"
On March 19, JavaPro published my article "10 Docker Commandos: Docker Commands to Hunt the Predator"—three days before I ran the workshop at Rabobank, which was good timing.
The article uses the React2Shell supply chain attack (CVE-2025-55182) as the threat model. Attackers deployed crypto miners within hours of disclosure. The 10 commandos walk through the response: Lockdown → SBOM → Scout → SBOM Attestations → Docker Init → Hardened Images → Exempted CVEs → VEX Attestation → Docker Bake → Zero-Day Defense.
10 Docker Commandos: Docker Commands to Hunt the Predator
10 Docker security commands mapped to commando characters, using React2Shell (CVE-2025-55182) as the threat model. Published March 19, 2026.
javapro.io
📚 Q1 2026 Docker Books
Five Docker books came out in the first quarter of 2026. Three of them by Docker Captains, which I think is a first.
The Complete Docker Read List: Q1 2026 Edition
A curated reading list of the best books on Docker and Kubernetes for the first quarter of 2026, featuring releases from Docker Captains and industry experts.
dockersecurity.io
📅 Next: JCON Europe, Cologne, April 20
On April 20, I'll be at JCON Europe 2026 in Cologne with "Java Supply Chain Security with Docker"—Docker Commandos adapted for a Java audience. Same pipeline, Java project as the target.
Java Supply Chain Security with Docker
Docker Commandos at JCON Europe 2026 in Cologne, adapted for a Java audience. April 20.
dockersecurity.io
Questions or feedback: dockersecurity.io/contact.