mirror of https://github.com/docker/docs.git
scout: add remediation
Signed-off-by: David Karlsson <david.karlsson@docker.com>
This commit is contained in:
David Karlsson
parent
7737566de5
commit
7a860553f5
|
|
@ -58,3 +58,103 @@ Images may be exposed to vulnerabilities and exploits. These are detected and
|
|||
listed on the right-hand side, grouped by package, and sorted in order of
|
||||
severity. Further information on whether the vulnerability has an available fix,
|
||||
for example, can be examined by expanding the sections.
|
||||
|
||||
## Remediation
|
||||
|
||||
In Docker Hub and Docker Desktop 4.17 and later versions, when inspecting an
|
||||
image, you can get recommended actions for improving the security of that image.
|
||||
|
||||
### Recommendations in Docker Desktop
|
||||
|
||||
To view security recommendations for an image in Docker Desktop:
|
||||
|
||||
1. Go to the **Images** view in Docker Desktop.
|
||||
1. Select the image tag that you want to view recommendations for.
|
||||
1. Near the top, select the **Recommended fixes** dropdown button.
|
||||
|
||||
The dropdown menu lets you choose whether you want to see recommendations for
|
||||
the current image or any base images used to build it:
|
||||
|
||||
- [**Recommendations for this image**](#recommendations-for-current-image)
|
||||
provides recommendations for the current image that you're inspecting.
|
||||
- [**Recommendations for base image**](#recommendations-for-base-image) provides
|
||||
recommendations for base images used to build the image.
|
||||
|
||||
If the image you're viewing has no associated base images, only the option to
|
||||
view recommendations for the current image displays here.
|
||||
|
||||
### Recommendations in Docker Hub
|
||||
|
||||
To view security recommendations for an image in Docker Hub:
|
||||
|
||||
1. Go to the repository page for an image where you have activated Docker Scout
|
||||
image analysis.
|
||||
2. Open the **Tags** tab.
|
||||
3. Select the tag that you want to view recommendations for.
|
||||
4. Select the **View recommended base image fixes** button.
|
||||
|
||||
This opens a window which gives you recommendations for you can improve the
|
||||
security of your image by using better base images. See
|
||||
[Recommendations for base image](#recommendations-for-base-image) for more
|
||||
details.
|
||||
|
||||
### Recommendations for current image
|
||||
|
||||
> **Note**
|
||||
>
|
||||
> This recommendation is only available in Docker Desktop.
|
||||
|
||||
Recommendations for the current image helps you determine whether the image
|
||||
version that you're using is out of date. If tag you're using is referencing an
|
||||
old digest, you'll receive a recommendation to update your tag by pulling the
|
||||
latest version of the tag.
|
||||
|
||||
Select the **Pull new image** button to get the updated version. Select the
|
||||
checkbox to remove the old version after pulling the latest.
|
||||
|
||||
### Recommendations for base image
|
||||
|
||||
The base image recommendations view contains two tabs for toggling between
|
||||
different types of recommendations:
|
||||
|
||||
- Refresh base image
|
||||
- Change base image
|
||||
|
||||
These base image recommendations are only actionable if you're the author of the
|
||||
image you're inspecting. That's because changing the base image for an image
|
||||
requires you to update the Dockerfile and re-build the image.
|
||||
|
||||
#### Refresh base image
|
||||
|
||||
This tab shows you if you if the selected base image tag is the latest available
|
||||
version, or if it's outdated.
|
||||
|
||||
If the base image tag used to build the current image isn't the latest, then the
|
||||
delta between the two versions shows in this window. The delta information
|
||||
includes:
|
||||
|
||||
- The tag name, and aliases, of the recommended (newer) version
|
||||
- The age of the current base image version
|
||||
- The age of the latest available version
|
||||
- The number of CVEs affecting each version
|
||||
|
||||
At the bottom of the window, you also receive command snippets that you can run
|
||||
to re-build the image using the latest version.
|
||||
|
||||
#### Change base image
|
||||
|
||||
This tab can present you with different alternative tags that you can use, and
|
||||
outlines the benefits and disadvantages of each tag version. Select base image
|
||||
tag, and receive recommended options for that tag.
|
||||
|
||||
For example, if the image you're inspecting is using an old version of `debian`
|
||||
as a base image, you can get recommendations for newer and more secure versions
|
||||
of `debian` to use. By providing more than one alternative to choose from, you
|
||||
can see for yourself how the options compare with each other, and decide which
|
||||
one to use.
|
||||
|
||||
{:width="700px"}
|
||||
|
||||
Select a tag recommendation to receive further details of the recommendation.
|
||||
You'll see the benefits and potential disadvantages of this tag, why it's a
|
||||
recommended, and how to update your Dockerfile to use this version.
|
||||
|
|
|
|||
Binary file not shown.
|
Before Width: | Height: | Size: 152 KiB After Width: | Height: | Size: 270 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 817 KiB After Width: | Height: | Size: 836 KiB |
Loading…
Reference in New Issue