Why Don’t CIS Benchmarks Exist for Alpine Docker Images?

CIS benchmarks can take a while to be released. If Alpine doesn’t have one yet, it’s probably best not to wait around for it. There are enterprise-ready images available now if you need them, like Echo, which meets the standards for Debian Linux CIS and general-purpose STIG.

Most of these benchmarks were designed for traditional systems and don’t adapt well to containers. They typically focus on audit logging and SSH setup that don’t really apply at the container level. You could try tweaking the benchmarks for Ubuntu or RHEL, but honestly, it’s a hassle. Security auditors might still push for it, but that’s why Alpine lacks benchmarks. If you’re looking for scanning tools, Trivy can check against the Docker CIS standards. Also, Chainguard has made some SCAP content related to Alpine that might be useful.

I’d recommend using Distroless images based on Debian instead. They’re about the same size as Alpine or even smaller, but without the compatibility issues that can come with Alpine.

If you still want to stick with Alpine, you can look into using the Docker CIS benchmarks as a guideline. The Dockle scanner is also a good option if you're interested in scanning your images.

Alpine isn't one of the major players in the Linux world, so there hasn’t been much demand for CIS benchmarks for it. However, you can manually secure your Alpine images by following best practices found here: https://wiki.alpinelinux.org/wiki/Securing_Alpine_Linux# and check out this GitHub repo for more info: https://github.com/ironpeakservices/iron-alpine. You might need to create a local secured image for your deployments.