Remove references to security scanning for private repos (#6444)

2018-04-20 10:33:55 -07:00 · 2018-04-20 10:33:55 -07:00 · 3dcc8d0b55
parent c68b864578
commit 3dcc8d0b55
16 changed files with 130 additions and 252 deletions
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@ -3087,8 +3087,6 @@ manuals:
      title: Link to a source code repository
    - path: /docker-cloud/builds/push-images/
      title: Push images to Docker Cloud
    - path: /docker-cloud/builds/image-scan/
      title: Docker security scanning
    - path: /docker-cloud/builds/automated-build/
      title: Automated builds
    - path: /docker-cloud/builds/automated-testing/
--- a/datacenter/dtr/2.4/guides/admin/configure/set-up-vulnerability-scans.md
+++ b/datacenter/dtr/2.4/guides/admin/configure/set-up-vulnerability-scans.md
@ -2,6 +2,8 @@
 title: Set up Security Scanning in DTR
 description: Enable and configure Docker Security Scanning for Docker Trusted Registry.
 keywords: registry, scanning, security scan, vulnerability, CVE
 redirect_from:
 - /docker-cloud/builds/image-scan/
 ---
 This page explains how to set up and enable Docker Security Scanning on an existing installation of Docker Trusted Registry.
--- a/docker-cloud/builds/image-scan.md
+++ b/docker-cloud/builds/image-scan.md
@ -1,171 +0,0 @@
 ---
 description: 'Docker Security Scanning: automatic image scanning'
 keywords: Docker, docker, scan, scanning, security, registry, plans, Docker Cloud, docs, documentation, trusted, builds, trusted builds, automated builds
 title: Docker Security Scanning
 ---
 > **The Docker Security Scanning preview service will end on March 31st, 2018, for private repos (not official repos) in both Docker Cloud and Docker Hub. Until then, scanning in private repos is limited to one scan per day on the “latest” tag.**
 Docker Cloud and Docker Hub can scan images in private repositories to verify
 that they are free from known security vulnerabilities or exposures, and report
 the results of the scan for each image tag.
 On Docker Hub, Docker Security Scanning looks a little different than the images
 in this document.
 ![Scanned results](images/scan-view.png)
 Docker Security Scanning is available as an add-on to Docker hosted private
 repositories on both Docker Cloud and Docker Hub. The feature is available as a
 free preview for private repository subscribers for a limited time.
 During the free period, Docker Security Scanning scans the three most recently
 updated tags in each of your private repositories. You can push an update to an
 older tag to trigger a scan. The scan runs on each new image push, and updates
 the scan results when new information comes in from the CVE databases.
 You can also view scan results for Official Images on Docker Hub if you are logged in.
 ## View Docker Security Scanning results
 Once you opt-in to the Docker Security Scanning and the scan process completes, you can view the scan results for your private repos.
 To view scan results:
 1. Log in to Docker Cloud or Docker Hub.
 2. Navigate to the repository details page.
 3. Click **Tags**.
    The Tag view displays a summarized view of each tag scan, and the
    age of the scan.
    ![Scanned tags](images/scan-tags.png)
    A solid green bar indicates a clean scan without known vulnerabilities.
    Colored stripes in yellow, orange, and red indicate minor, major, and
    critical vulnerabilities respectively.
    >**Tip:** Vulnerability scores are defined by the entity that issues the vulnerability, such as [NVD](https://nvd.nist.gov/), and are based on a [Qualitative Severity Rating Scale](https://www.first.org/cvss/specification-document#5-Qualitative-Severity-Rating-Scale) defined as part of the [Common Vulnerability Scoring System (CVSS) specification](https://www.first.org/cvss/specification-document).
 4. Click a scan summary to see more detailed results for the specific tag.
    The scan results show the image's layers, and each layer can have one or more scannable components. Layers with components display them in a grid, with one square representing each component. These squares are color coded to indicate the seriousness of vulnerability.
    Only components that add software are scanned. If a layer has no scannable components, it shows a `No components in this layer` message.
    ![Scanned results](images/scan-view.png)
    > **Note**: *Base Layers* contain components that are included in the parent
    > image, but that you did not build and that you may not have access to edit.
    > If a Base Layer contains a vulnerability, you should switch to a version
    > of the parent image that does not have any vulnerabilities, or to a similar
    > but more secure image.
 5. Click a square in the grid to see the vulnerability report for that specific component.
    ![Scanned component preview](images/scan-single.png)
 6. Click the arrow icon to expand the list and show all of the vulnerable components and their CVE report codes.
    ![Scanned components](images/scan-full-details.png)
 7. From here, you can click one of the CVE codes to view the original report about the vulnerability.
 > **Note**: You can also see scan results for Docker's Official Images as long as you are logged in to Docker Hub, regardless of if you are a subscriber or not.
 ### What do I do next?
 If you are viewing scan results for an Official Image and you find a
 vulnerability, you might want to check if there is an updated version available,
 or contact the image's maintainers to ensure that the vulnerability is being
 addressed.
 When you enable scanning on your images, you can use the information in the
 linked CVE reports to decide what to do. You might correct a vulnerability by
 using an updated version of the component, or a different component entirely.
 When you push an update to the code, the new image push re-triggers the scan.
 If the vulnerability is in a `base layer` you might not be able to correct the
 issue in the image. Consider switching to a different version of the
 base layer or an equivalent, less vulnerable base layer. You
 might also decide that the vulnerability or exposure is acceptable.
 ## The Docker Security Scan process
 Security scanning is enabled on a per-repository basis and is only available for
 private repositories. Scans run each time a build pushes a new image to your
 private repository. They also run when you add a new image or tag. Most scans
 complete within an hour, however large repositories may take up to 24 hours to
 scan. The scan traverses each layer of the image, identifies the software
 components in each layer, and indexes the SHA of each component.
 The scan compares the SHA of each component against the Common Vulnerabilities
 and Exposures (CVE®) database. The CVE is a "dictionary" of known information
 security vulnerabilities. When the CVE database is updated, the service reviews
 the indexed components for any that match the new vulnerability. If the new
 vulnerability is detected in an image, the service sends an email alert to the
 maintainers of the image.
 A single component can contain multiple vulnerabilities or exposures and Docker
 Security Scanning reports on each one. You can click an individual vulnerability
 report from the scan results and navigate to the specific CVE report data to
 learn more about it.
 ## Frequently Asked Questions
 Docker Security Scanning is available as a free preview for private repositories
 for a limited time. Security scanning is only available for Docker Official
 Images on Docker Hub, and for paid private repositories in Docker Cloud during
 this free period.
 <b>We invite you to try it out! Send us your feedback through our <a href="https://forums.docker.com/c/docker-cloud/docker-security-scanning" target="_blank" class="_" >Docker Product Forums</a>.</b>
 #### Will Docker Security Scanning always be available for free?
 No. We are making Security Scanning available as a free preview for a limited
 time. After that, Security Scanning will be available as a purchase for your
 private repository subscriptions.
 #### Can I scan my organization's repositories (public and/or private)?
 Yes. You can view scans for your Organization's private repositories on both
 Docker Hub and Docker Cloud.
 #### Can I scan my public repositories?
 Not yet. We’re working to make Docker Security Scanning available to teams and
 organizations, as well as public repositories. Stay tuned!
 #### Are my repositories automatically scanned on push?
 Yes. The images in your repositories are automatically scanned each time a new
 image is pushed. When you first sign up for Security Scanning, we scan three most recently pushed tags. We then scan any new image that you push.
 #### Are my repositories automatically scanned when new vulnerabilities are discovered?
 Docker Security Scanning indexes the components in your image, so we don't need
 to re-scan your images when new vulnerabilities are reported. Instead, we match
 the components in new CVE reports to what we know is already in your image, and
 quickly generate an updated report.
 #### What do I do if I think the scan results are incorrect?
 If a scan shows a vulnerability that you think is incorrect, if you think a
 vulnerability's category is incorrect, or if you believe there is a
 vulnerability that has not been detected by the scanning process, contact Docker Support and include the information listed
 [here](https://success.docker.com/Cloud/How_to_report_a_false_positive_in_Docker_Security_Scanning).
 #### I just pushed to my repository, but the scan results aren't showing up or haven't been updated, why?
 Docker Security Scanning generates and indexes a hash of the byte code of each
 component in the image. This usually completes quickly, however scanning can
 take up for 24 hours, especially if the image is large or contains many smaller
 components.
 ## Related information
 * [Learn about CVE and how it compiles data](https://cve.mitre.org/about/index.html).
 * [How to create a Docker Official image](/docker-hub/official_repos/)
--- a/docker-cloud/builds/images/repo-general.png
+++ b/docker-cloud/builds/images/repo-general.png
--- a/docker-cloud/builds/images/scan-enable.png
+++ b/docker-cloud/builds/images/scan-enable.png
--- a/docker-cloud/builds/images/scan-full-details.png
+++ b/docker-cloud/builds/images/scan-full-details.png
--- a/docker-cloud/builds/images/scan-single.png
+++ b/docker-cloud/builds/images/scan-single.png
--- a/docker-cloud/builds/images/scan-tags.png
+++ b/docker-cloud/builds/images/scan-tags.png
--- a/docker-cloud/builds/images/scan-view.png
+++ b/docker-cloud/builds/images/scan-view.png
--- a/docker-cloud/builds/index.md
+++ b/docker-cloud/builds/index.md
@ -19,8 +19,7 @@ running services when a build passes its tests.
 * [Push images to Docker Cloud](push-images.md)
 * [Link to a source code repository](link-source.md)
 * [Automated builds](automated-build.md)
 * [Docker Security Scanning](image-scan.md)
 * [Automated repository tests](automated-testing.md)
 * [Advanced options for Autobuild and Autotest](advanced.md)
-![Docker Cloud repository General view](images/repo-general.png)
+![Docker Cloud repository General view](images/repo-general.png){:width="650px"}
--- a/docker-cloud/release-notes.md
+++ b/docker-cloud/release-notes.md
@ -24,7 +24,7 @@ In our May 2016 release, we introduced a new user interface for Docker Cloud. Tr
 ### Added
-**Docker Cloud Security Scanning** is now available as a beta add-on service for private repositories. See [Security scanning in Docker Cloud](builds/image-scan.md) for more information.
+**Docker Cloud Security Scanning** is now available as a beta add-on service for private repositories. 
 ### Fixed
--- a/docker-store/images/scan-full-details.png
+++ b/docker-store/images/scan-full-details.png
--- a/docker-store/images/scan-single.png
+++ b/docker-store/images/scan-single.png
--- a/docker-store/images/scan-tags.png
+++ b/docker-store/images/scan-tags.png
--- a/docker-store/images/scan-view.png
+++ b/docker-store/images/scan-view.png
--- a/docker-store/publish.md
+++ b/docker-store/publish.md
@ -27,22 +27,20 @@ title: Publish content on Docker Store
 ## Onboarding
-The publishing process for the Docker Store is straightforward, and can be
+The Docker Store publishing process begins from the landing page: sign in with
-initiated from the landing page. You can sign in with your Docker ID, and
+your Docker ID and specify a product name and image source from a private
-specify a product name and image source from a private repository. We require
+repository. Your product images must be stored in private repositories of Docker
-that your product images are stored in private repositories via Docker Cloud
+Cloud and/or Hub as they serve as an internal staging area from which you can
-and/or Hub, as they serve as an internal staging area from which you can revise
+revise and submit content for review.
 and submit content for review.
-Once you specify a private-repository source for your product, you can provide
+After specifying a source, provide the content-manifest items to populate your
-the content-manifest items to populate your product’s details page. These items
+product details page. These items include logos, descriptions, and licensing and
-include logos, descriptions, and licensing and support links so that customers
+support links so that customers can make informed decisions about your image.
-can make informed decisions about your image. These items are submitted
+These items are submitted alongside the image itself for moderation.
 alongside the image itself for moderation.
 The Docker Store team then conducts a comprehensive review of your image and
-metadata. We use Docker Security Scanning to evaluate your product images’
+metadata. We use Docker Security Scanning to evaluate the security of your
-security, and share results with you as the publisher. During the
+product images, and share results with you as the publisher. During the
 image-moderation phase, we iterate back and forth with publishers to address
 outstanding vulnerabilities and content-manifest issues until the image is ready
 for publication.
@ -51,16 +49,16 @@ Commercial content and other supported images may qualify for the Docker
 Certified Container or Plugins quality mark. The testing for this program goes
 beyond the vulnerability scan and also evaluates container images for Docker
 best practices developed over years of experience. Collaborative support
-capability between Docker and the publisher is also established. Refer
+capability between Docker and the publisher is also established. Refer to the
-to the diagram below for a high-level summary:
+diagram below for a high-level summary:
 ![publishing workflow](images/publish-diagram.png)
 ## Create great content
 Create your content, and follow our best practices to Dockerize it. Keep your
-images small, your layers few, and your components secure. Refer to the
+images small, your layers few, and your components secure. Refer to the links
-links and guidelines listed below to build and deliver great content:
+and guidelines listed below to build and deliver great content:
 * [Best practices for writing Dockerfiles](/engine/userguide/eng-image/dockerfile_best-practices/)
@ -75,20 +73,20 @@ Here are some best practices when it comes to building vulnerability-free Docker
 Many base images have a strong record of being secure, including:
-* [Debian](https://hub.docker.com/r/library/debian/tags/jessie/){: target="_blank"
+* [Debian](https://hub.docker.com/r/library/debian/tags/jessie/){: target="_blank" class="_"}
-class="_"} Linux: both small and tightly-controlled, Debian-linux is a good
+  Linux: both small and tightly-controlled, Debian-linux is a good alternative
-alternative if you're currently using Ubuntu.
+  if you're currently using Ubuntu.
-* [Alpine](https://hub.docker.com/_/alpine/){: target="_blank" class="_"} Linux: Alpine is a minimal linux distribution with an
+* [Alpine](https://hub.docker.com/_/alpine/){: target="_blank" class="_"} Linux:
-excellent security record.
+  Alpine is a minimal linux distribution with an excellent security record.
 * Alpine-based application images: these include `python:alpine`, `ruby:alpine`,
-and `golang:alpine`. They are secure and minimal, while providing the
+  and `golang:alpine`. They are secure and minimal, while providing the
-convenience of their non-Alpine alternatives.
+  convenience of their non-Alpine alternatives.
-Docker strongly recommends Alpine Linux. The founder of this Linux
+Docker strongly recommends Alpine Linux. The founder of this Linux distribution
-distribution is leading an initiative at Docker to provide safe, compact base
+is leading an initiative at Docker to provide safe, compact base images for all
-images for all container applications.
+container applications.
 ### Remove unused components
@ -97,28 +95,28 @@ containerized application. To avoid this, you can:
 * Follow best practices when using the `apt-get` command.
-* Make sure to run `apt-get-remove` to destroy any components required to build
+* Run `apt-get-remove` to destroy any components required to build but not
-but not actually run your application. Usually, this involves creating
+  actually run your application. Usually, this involves creating multi-line
-multi-line Dockerfile directives, as seen below. The following example shows
+  Dockerfile directives, as seen below. The following example shows how to remove
-how to remove `curl` and `python-pip` after they are used to install the
+  `curl` and `python-pip` after they are used to install the Python `requests`
-Python `requests` package, all in a single Dockerfile directive:
+  package, all in a single Dockerfile directive:
-```shell
+  ```shell
-RUN apt-get update && \
+  RUN apt-get update && \
-         apt-get install -y --no-install-recommends curl python-pip && \
+           apt-get install -y --no-install-recommends curl python-pip && \
-         pip install requests && \
+           pip install requests && \
-         apt-get remove -y python-pip curl && \
+           apt-get remove -y python-pip curl && \
-         rm -rf /var/lib/apt/lists/
+           rm -rf /var/lib/apt/lists/
-```
+  ```
-> **Note**: Files introduced in one directive of your Dockerfile can only be
+> Files introduced in one directive of your Dockerfile can only be removed in
-> removed in the same directive (and not in subsequent directives in your Dockerfile).
+> the same directive (and not in subsequent directives in your Dockerfile).
 ### Keep required components up-to-date
-Your images are comprised of open-source libraries and packages that amass
+Your images are composed of open-source libraries and packages that amass
-vulnerabilities over time and are consequently patched. To optimize your
+vulnerabilities over time and are consequently patched. To ensure the integrity
-product’s integrity, you must keep your images up-to-date:
+of your product, keep your images up-to-date:
 * Periodically update your base image's version, especially if you’re using a
  version deemed to be vulnerable.
@ -127,14 +125,6 @@ product’s integrity, you must keep your images up-to-date:
  `apt-get install ...` pull the latest versions of dependencies, which may
  include security fixes.
 ### Scan your own private repositories
 Eliminating vulnerabilities is a trial-and-error process. To speed it up,
 consider using Docker Security Scanning on your own private Docker repositories
 in Docker Cloud and Docker Hub. This feature allows you to scan images you
 create on-demand, without relying on the scans provided by the Docker Publisher
 Program.
 ## Create and maintain your publisher profile in the Store
 Let the Docker community know who you are. Add your details, your company
@ -172,8 +162,8 @@ discoverable:
 ### How the manifest information is displayed in the UI
-This is an approximate representation. We frequently make
+This is an approximate representation. We frequently make enhancements to the
-enhancements to the look and some elements might shift around.
+look and some elements might shift around.
 ![manifest information displayed on store UI](images/subscribed.png)
@ -198,18 +188,78 @@ response-time expectations, where applicable.
 ## Security and audit policies
 Docker Store [scans](#docker-security-scanning) your official images for
 vulnerabilities with the Docker Security Scanning tool, and
 [audits](#usage-audit-and-reporting) consumer activity of your images to provide
 you intelligence about the use of your product.
 ### Docker Security Scanning
-We use Docker Security Scanning to automatically and continuously assess your
+Docker Security Scanning automatically and continuously assesses the intergity
-products’ integrity. The tool deconstructs images, conducts a binary scan of
+of your products. The Docker Security Scanning tool deconstructs an image,
-the bits to identify the open-source components present in each image layer, and
+conducts a binary scan of the bits to identify the open-source components
-associates those components with known vulnerabilities and exposures. We then
+present in each image layer, and associates those components with known
-share the scan results with you as the publisher, so that you can modify your
+vulnerabilities and exposures.
 images’ content accordingly. Your scan results are private, and are never
 shared with end customers or other publishers.
-To interpret the results, refer to the
+Docker then shares the scan results with you as the publisher, so that you can
-[documentation](/docker-cloud/builds/image-scan.md).
+modify the content of your images as necessary. Your scan results are private,
 and are never shared with end customers or other publishers.
 #### Interpret results
 To interpret the results of a scanned image:
 1.  Log on to [Docker Store](https://store.docker.com){: target="_blank" class="_"}.
 2.  Navigate to the repository details page (for example,
    [Nginx](https://store.docker.com/images/nginx){: target="_blank" class="_"}).
 3.  Click **View Available Tags** under the pull command in the upper right of
    the UI.
    Displalyed is a list of each tag scan with its age. A solid green bar
    indicates a clean scan without known vulnerabilities. Yellow, orange, and
    red indicate minor, major, and critical vulnerabilities respectively.
    ![Scanned tags](images/scan-tags.png)
    > Vulnerability scores
    >
    > Vulnerability scores are defined by the entity that issues the
    > vulnerability, such as [NVD](https://nvd.nist.gov/){: target="_blank" class="_"},
    > and are based on a
    > [Qualitative Severity Rating Scale](https://www.first.org/cvss/specification-document#5-Qualitative-Severity-Rating-Scale){: target="_blank" class="_"}
    > defined as part of the
    > [Common Vulnerability Scoring System (CVSS) specification](https://www.first.org/cvss/specification-document){: target="_blank" class="_"}.
 4.  Click a scan summary to see a list of results for each layer of the image.
    Each layer may have one or more scannable components represented by colored
    squares in a grid.
    ![Scanned results](images/scan-view.png)
    > Base layers
    >
    > Base layers contain components that are included in the parent image,
    > but that you did not build and may not be able to edit. If a base layer
    > has a vulnerability, switch to a version of the parent image that does not
    > have any vulnerabilities, or to a similar but more secure image.
 5.  Hover over a square in the grid, then click to see the vulnerability report
    for that specific component.
    Only components that add software are scanned. If a layer has
    no scannable components, it shows a `No components in this layer` message.
    ![Scanned component preview](images/scan-single.png)
 6.  Click the arrow icon (twice) to expand the list and show all vulnerable
    components and their CVE report codes.
    ![Scanned components](images/scan-full-details.png)
 7.  Click one of the CVE codes to view the original vulnerability report.
 #### Classification of issues
@ -302,17 +352,17 @@ the partner.
 Docker Certified Container images and plugins are meant to differentiate high
 quality content on Docker Store. Customers can consume Certified Containers with
 confidence knowing that both Docker and the publisher stands behind the
-solution. Further details can be found in the [Docker Partner Program Guide](https://www.docker.com/partnerprogramguide){: target="_blank" class="_"}.
+solution. Further details can be found in the
 [Docker Partner Program Guide](https://www.docker.com/partnerprogramguide){: target="_blank" class="_"}.
 #### What are the benefits of Docker Certified?
-Docker Store promotes Docker Certified Containers and Plugins running on
+Docker Store promotes Docker Certified Containers and Plugins running on Docker
-Docker Certified Infrastructure trusted and high quality content. With over 8B
+Certified Infrastructure trusted and high quality content. With over 8B image
-image pulls and access to Docker’s large customer base, a publisher can
+pulls and access to Docker’s large customer base, a publisher can differentiate
-differentiate their content by certifying their images and plugins. With a
+their content by certifying their images and plugins. With a revenue share
-revenue share agreement, Docker can be a channel for your content. The Docker
+agreement, Docker can be a channel for your content. The Docker Certified badge
-Certified badge can also be listed alongside external references to your
+can also be listed alongside external references to your product.
 product.
 #### How is the Docker Certified Container image listed on Docker Store?
@ -335,11 +385,11 @@ on Docker Store.
 All Docker Certified Container images and plugins running on Docker Certified
 Infrastructure come with SLA based support provided by the publisher and Docker.
 Normally, a customer contacts the publisher for container and application level
-issues. Likewise, a customer contacts Docker for Docker Edition support.
+issues. Likewise, a customer contacts Docker for Docker Edition support. In the
-In the case where a customer calls Docker (or vice versa) about an issue on the
+case where a customer calls Docker (or vice versa) about an issue on the
-application, Docker advises the customer about the publisher support process
+application, Docker advises the customer about the publisher support process and
-and performs a handover directly to the publisher if required. TSAnet is
+performs a handover directly to the publisher if required. TSAnet is required
-required for exchange of support tickets between the publisher and Docker.
+for exchange of support tickets between the publisher and Docker.
 #### How does a publisher apply to the Docker Certified program?