diff --git a/datacenter/dtr/2.3/guides/user/manage-images/pull-and-push-images.md b/datacenter/dtr/2.3/guides/user/manage-images/pull-and-push-images.md index 692582e7cb..789c1f319e 100644 --- a/datacenter/dtr/2.3/guides/user/manage-images/pull-and-push-images.md +++ b/datacenter/dtr/2.3/guides/user/manage-images/pull-and-push-images.md @@ -67,6 +67,24 @@ Go back to the **DTR web UI** to validate that the tag was successfully pushed. ![](../../images/pull-push-images-3.png) +### Windows images + +Official Microsoft Windows images or any image you create based on them aren't +distributable by default. When you push a Windows image to DTR, Docker only +pushes the image manifest but not the image layers. This means that: + +* DTR won't be able to scan those images for vulnerabilities since DTR doesn't +have access to the layers +* When a user pulls a Windows image from DTR, they are redirected to a +Microsoft registry to fetch the layers + +To configure Docker to always push Windows layers to DTR, add the following +to your `C:\ProgramData\docker\config\daemon.json` configuration file: + +``` +"allow-nondistributable-artifacts": [":"] +``` + ## Where to go next * [Delete images](delete-images.md) diff --git a/datacenter/dtr/2.3/guides/user/manage-images/scan-images-for-vulnerabilities.md b/datacenter/dtr/2.3/guides/user/manage-images/scan-images-for-vulnerabilities.md index a878d37dd3..3ec96aa28b 100644 --- a/datacenter/dtr/2.3/guides/user/manage-images/scan-images-for-vulnerabilities.md +++ b/datacenter/dtr/2.3/guides/user/manage-images/scan-images-for-vulnerabilities.md @@ -4,7 +4,7 @@ description: Learn how to scan your Docker images for vulnerabilities. keywords: docker, registry, scan, vulnerability --- -[![Image Security Scanning](../../images/scanning_video.png)](https://www.youtube.com/watch?v=121poCB0Nn8 "Images Security Scanning"){:target="_blank"} +[![Image Security Scanning](../../images/scanning_video.png)](https://www.youtube.com/watch?v=121poCB0Nn8 "Images Security Scanning"){: target="_blank" ._} Docker Trusted Registry can scan images in your repositories to verify that they are free from known security vulnerabilities or exposures, using Docker Security @@ -23,28 +23,24 @@ a new scan. ## The Docker Security Scan process Scans run either on demand when a user clicks the **Start a Scan** links or -**Scan** button (see [Manual scanning](#manual-scanning) below), or automatically +**Scan** button (see [Manual scanning](#manual-scanning) below), or automatically on any `docker push` to the repository. First the scanner performs a binary scan on each layer of the image, identifies the software components in each layer, and indexes the SHA of each component in a -bill-of-materials. A binary scan evaluates the components on a bit-by-bit level, -so vulnerable components are discovered even if they are statically-linked or +bill-of-materials. A binary scan evaluates the components on a bit-by-bit level, +so vulnerable components are discovered even if they are statically-linked or under a different name. -[//]: # (Placeholder for DSS workflow. @sarahpark is working on the diagram.) - The scan then compares the SHA of each component against the US National Vulnerability Database that is installed on your DTR instance. When this database is updated, DTR reviews the indexed components for newly discovered vulnerabilities. -If you have subscribed to a webhook (see [Manage webhooks](../create-and-manage-webhooks.md)) -for scan completed/scan failed, then you will received the results of the scan -as a json to the specified endpoint. - -Most scans complete within an hour, however larger repositories may take longer -to scan depending on your system resources. +DTR scans both Linux and Windows images, but by default Docker doesn't push +image layers for Windows images so DTR won't be able to scan them. +If you want DTR to scan your Windows images, [configure Docker to always push +image layers](pull-and-push-images.md). ## Security scan on push