docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

incorporates feedback 

Signed-off-by: LRubin <lrubin@docker.com>
This commit is contained in:
LRubin 2017-01-03 17:49:22 -08:00 committed by Joao Fernandes
parent 02f1bb25a9
commit 3559def55b
2 changed files with 18 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
datacenter/dtr/2.2/guides/configure/setup-scanning-dtr.md
View File

@ -1,6 +1,6 @@
---
description: Enable and configure Docker Security Scanning for Docker Trusted Registry.
keywords: docker, registry, high-availability, backup, recovery
keywords: docker, registry, scanning, security scan, vulnerability, CVE
title: Set up Security Scanning in DTR
---

33
datacenter/dtr/2.2/guides/security-scan-dtr.md
View File

@ -1,6 +1,6 @@
---
description: Docker Security Scanning for Docker Trusted Registry.
keywords: docker, registry, high-availability, backup, recovery
keywords: docker, registry, scanning, security scan, vulnerability, CVE
title: Docker Security Scanning in DTR
---
@ -15,6 +15,22 @@ have purchased the Security Scanning feature or it may be disabled.
> **Tip**: Only users with write access to a repository can manually start a scan. Users with read-only access can view the scan results, but cannot start a new scan.
## The Docker Security Scan process
Scans run either on demand when a user clicks the **Start Scan** links or **Scan** button, or automatically on any `docker push` to the repository.
First the scanner performs a binary scan on each layer of the image, identifies
the software components in each layer, and indexes the SHA of each component.
The scan then compares the SHA of each component against the Common
Vulnerabilities and Exposures (CVE®) database installed on your DTR instance.
The CVE database is a "dictionary" of known information security
vulnerabilities. When the CVE database is updated, the service reviews the
indexed components for any that match newly discovered vulnerabilities.
Most scans complete within an hour, however larger repositories may take longer
to scan depending on your system resources.
## Security scan on push
By default, Docker Security Scanning runs automatically on `docker push` to an
@ -117,18 +133,3 @@ components that provide the same functionality. When you have updated the source
code, run a build to create a new image, tag the image, and push the updated
image to your DTR instance. You can then re-scan the image to confirm that you
have addressed the vulnerabilities.
## The Docker Security Scan process
Scans run either on demand when a user clicks the **Start Scan** links or **Scan** button, or automatically on any `docker push` to the repository.
Most scans complete within an hour, however larger repositories may take longer
to scan depending on your system resources. The scan traverses each layer of the
image, identifies the software components in each layer, and indexes the SHA of
each component.
The scan compares the SHA of each component against the Common Vulnerabilities
and Exposures (CVE®) database installed on your DTR instance. The CVE database
is a "dictionary" of known information security vulnerabilities. When the CVE
database is updated, the service reviews the indexed components for any that
match newly discovered vulnerabilities.