From 7dde6e40c6da56de651e017bb9f586bb69e14da0 Mon Sep 17 00:00:00 2001 From: Chris Chinchilla Date: Thu, 6 Apr 2023 10:14:04 +0200 Subject: [PATCH] Draft --- .github/vale/Vocab/Docker/accept.txt | 1 + docker-hub/publish/index.md | 2 +- docker-hub/publish/insights-analytics.md | 32 ++++++++++---------- docker-hub/vulnerability-scanning.md | 37 ++++++++++++------------ 4 files changed, 38 insertions(+), 34 deletions(-) diff --git a/.github/vale/Vocab/Docker/accept.txt b/.github/vale/Vocab/Docker/accept.txt index 30b809ff0b..55de96b6d7 100644 --- a/.github/vale/Vocab/Docker/accept.txt +++ b/.github/vale/Vocab/Docker/accept.txt @@ -25,4 +25,5 @@ Swarm Mode dockerd dockerignore Docker Hub Vulnerability Scanning +Docker Vulnerability Scanning Basic vulnerability scanning \ No newline at end of file diff --git a/docker-hub/publish/index.md b/docker-hub/publish/index.md index 0df2d83853..446585c5c0 100644 --- a/docker-hub/publish/index.md +++ b/docker-hub/publish/index.md @@ -55,7 +55,7 @@ selected time span. Data points include tag, type of pull, user geolocation, cli ## Vulnerability scanning [Docker Scout](/scout/){: -target="blank" rel="noopener" class=""} provides automatic vulnerability scanning for images published to Docker Hub. +target="blank" rel="noopener" class=""} provides automatic vulnerability scanning for DVP images published to Docker Hub. Scanning images ensures that the published content is secure, and proves to developers that they can trust the image. You can enable scanning on a per-repository basis, refer to [vulnerability scanning](/docker-hub/vulnerability-scanning/){: diff --git a/docker-hub/publish/insights-analytics.md b/docker-hub/publish/insights-analytics.md index 20286cc2b3..38cdc5b6c5 100644 --- a/docker-hub/publish/insights-analytics.md +++ b/docker-hub/publish/insights-analytics.md @@ -4,11 +4,13 @@ description: Provides usage statistics of your images on Docker Hub. keywords: docker hub, hub, insights, analytics, api, verified publisher --- -Insights and analytics provides usage analytics for your Docker Verified -Publisher (DVP) images on Docker Hub. With this tool, you have self-serve access +Insights and analytics provides usage analytics for Docker Verified +Publisher (DVP) images on Docker Hub, providing self-serve access to metrics as both raw data and summary data for a desired time span. You can view number of image pulls by tag or by digest, and get breakdowns by -geolocation, cloud provider, client, and more. Head to the +geolocation, cloud provider, client, and more. + +Head to the [Docker Verified Publisher Program page](https://www.docker.com/partners/programs/){: target="blank" rel="noopener" class="_" } to learn more about the benefits of becoming a verified publisher. @@ -42,8 +44,8 @@ This is a convenient way to share statistics with others in your organization. ![Chart share icon](./images/chart-share-icon.png) -Selecting the icon generates a link that gets copied to your clipboard. The link -preserves the display selections you made. When someone uses the link, the +Selecting the icon generates a link that's copied to your clipboard. The link +preserves the display selections you made. When someone follows the link, the **Insights and analytics** page opens and displays the chart with the same configuration as you had set up when creating the link. @@ -58,7 +60,7 @@ Sunday) or monthly format. Monthly data is available from the first day of the following calendar month. You can import this data into your own systems, or you can analyze it manually as a spreadsheet. -### Export data using the website +### Export data Export usage data for your organization's images using the Docker Hub website by following these steps: @@ -161,16 +163,16 @@ target="_blank" rel="noopener" class="_"}. | Starting event | Reference | Followed by | Resulting action | Use case(s) | Notes | | :------------- | :-------- | :-------------------------------------------------------------- | :--------------- | :------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | HEAD | tag | N/A | Version check | User already has all layers existing on local machine | This is similar to the use case of a pull by tag when the user already has all the image layers existing locally, however, it differentiates the user intent and classifies accordingly. | -| GET | tag | N/A | Pull by tag | User already has all layers existing on local machine and/or the image is single-architecture | -| GET | tag | Get by different digest | Pull by tag | Image is multi-architecture | Second GET by digest must be different from the first. | -| HEAD | tag | GET by same digest | Pull by tag | Image is multi-architecture but some or all image layers already exist on the local machine | The HEAD by tag sends the most current digest, the following GET must be by that same digest. There may occur an additional GET, if the image is multi-architecture (see the next row in this table). If the user doesn't want the most recent digest, then the user performs HEAD by digest. | -| HEAD | tag | GET by the same digest, then a second GET by a different digest | Pull by tag | Image is multi-architecture | The HEAD by tag sends the most recent digest, the following GET must be by that same digest. Since the image is multi-architecture, there is a second GET by a different digest. If the user doesn't want the most recent digest, then the user performs HEAD by digest. | -| HEAD | tag | GET by same digest, then a second GET by different digest | Pull by tag | Image is multi-architecture | The HEAD by tag sends the most current digest, the following GET must be by that same digest. Since the image is multi-architecture, there is a second GET by a different digest. If the user doesn't want the most recent digest, then the user performs HEAD by digest. | -| GET | digest | N/A | Pull by digest | User already has all layers existing on local machine and/or the image is single-architecture | +| GET | tag | N/A | Pull by tag | User already has all layers existing on local machine and/or the image is single-arch | +| GET | tag | Get by different digest | Pull by tag | Image is multi-arch | Second GET by digest must be different from the first. | +| HEAD | tag | GET by same digest | Pull by tag | Image is multi-arch but some or all image layers already exist on the local machine | The HEAD by tag sends the most current digest, the following GET must be by that same digest. There may occur an additional GET, if the image is multi-arch (see the next row in this table). If the user doesn't want the most recent digest, then the user performs HEAD by digest. | +| HEAD | tag | GET by the same digest, then a second GET by a different digest | Pull by tag | Image is multi-arch | The HEAD by tag sends the most recent digest, the following GET must be by that same digest. Since the image is multi-arch, there is a second GET by a different digest. If the user doesn't want the most recent digest, then the user performs HEAD by digest. | +| HEAD | tag | GET by same digest, then a second GET by different digest | Pull by tag | Image is multi-arch | The HEAD by tag sends the most current digest, the following GET must be by that same digest. Since the image is multi-arch, there is a second GET by a different digest. If the user doesn't want the most recent digest, then the user performs HEAD by digest. | +| GET | digest | N/A | Pull by digest | User already has all layers existing on local machine and/or the image is single-arch | | HEAD | digest | N/A | Pull by digest | User already has all layers existing on their local machine | -| GET | digest | GET by different digest | Pull by digest | Image is multi-architecture | The second GET by digest must be different from the first. | -| HEAD | digest | GET by same digest | Pull by digest | Image is single-architecture and/or image is multi-architecture but some part of the image already exists on the local machine | -| HEAD | digest | GET by same digest, then a second GET by different digest | Pull by Digest | Image is multi-architecture | +| GET | digest | GET by different digest | Pull by digest | Image is multi-arch | The second GET by digest must be different from the first. | +| HEAD | digest | GET by same digest | Pull by digest | Image is single-arch and/or image is multi-arch but some part of the image already exists on the local machine | +| HEAD | digest | GET by same digest, then a second GET by different digest | Pull by Digest | Image is multi-arch | ## Changes in data over time diff --git a/docker-hub/vulnerability-scanning.md b/docker-hub/vulnerability-scanning.md index d37fbc3712..21e2a919f7 100644 --- a/docker-hub/vulnerability-scanning.md +++ b/docker-hub/vulnerability-scanning.md @@ -22,7 +22,7 @@ Scan results include: - The source of the vulnerability, such as Operating System (OS) packages and libraries -- The version which introduced the vulnerability +- The version in which it was introduced - A recommended fixed version (if available) to remediate the vulnerabilities discovered. @@ -51,14 +51,14 @@ improving your security posture. ## Scan images with Basic vulnerability scanning Repository owners and administrators of a Docker Pro, Team, or a Business tier -can toggle Basic vulnerability scanning. When scanning is active on a +enable and disable Basic vulnerability scanning. When scanning is active on a repository, anyone with push access can trigger a scan by pushing an image to Docker Hub. Additionally, repository owners in a Docker Pro subscription and team members in a Team, or a Business subscription can view the detailed scan reports. -> **Image types supported** +> **Note** > > Basic vulnerability scanning supports scanning images which are of AMD64 > architecture, Linux OS, and are less than 10 GB in size. @@ -67,24 +67,24 @@ a Team, or a Business subscription can view the detailed scan reports. Repository owners and administrators can enable Basic vulnerability scanning on a repository. If you are a member of a Team or a Business subscription, ensure -the repository you want to enable scanning on is part of the Team or a +the repository you would like to enable scanning on is part of the Team or a Business tier. To enable Basic vulnerability scanning: 1. Log into your [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} account. -2. Select **Repositories** from the main menu and select a repository from the +2. Click **Repositories** from the main menu and select a repository from the list. -3. Select the **Settings** tab. +3. Go to the **Settings** tab. 4. Under **Image insight settings**, select **Basic Hub vulnerability scanning**. 5. Select **Save**. ### Scan an image -To scan an image for vulnerabilities, push to the -repository for the image to Docker Hub which you have turned on scanning: +To scan an image for vulnerabilities, push the image to Docker Hub, to the +repository for which you have turned on scanning: 1. Ensure you have installed Docker locally. See [Get Docker](../get-docker.md) to download and install Docker on your local machine. @@ -117,13 +117,14 @@ To view the vulnerability report: ![Vulnerability scan report](images/vuln-scan-report.png){:width="700px"} -2. Select the **Tags** tab > **Digest** > **Vulnerabilities** to view the +2. Click on the **Tags** tab > **Digest** > **Vulnerabilities** to view the detailed scan report. - The scan report displays the vulnerabilities identified, sorting them + The scan report displays vulnerabilities identified by the scan, sorting them according to their severity, with highest severity listed at the top. It displays information about the package that contains the vulnerability, the - version that introduced it, and whether a later version fixes the vulnerability. + version in which it was introduced, and whether the vulnerability is fixed in + a later version. ![Vulnerability scan details](images/vuln-scan-details.png){:width="700px"} @@ -132,18 +133,18 @@ For more information on this view, see ### Inspect vulnerabilities -The scan report displays the vulnerabilities identified, sorting them -according to their severity, with highest severity listed at the top. It +The vulnerability report sorts vulnerabilities based on their severity. It displays information about the package that contains the vulnerability, the -version that introduced it, and whether a later version fixes the vulnerability. +version in which it was introduced, and whether the vulnerability has been fixed +in a later version. -The vulnerability scan report helps development teams and security leads +The vulnerability scan report also allows development teams and security leads to compare the vulnerability counts across tags to see whether the vulnerabilities are decreasing or increasing over time. ### Fix vulnerabilities -Once you have identified a list of vulnerabilities, there are a couple of +Once a list of vulnerabilities have been identified, there are a couple of actions you can take to remediate the vulnerabilities. For example, you can: 1. Specify an updated base image in the Dockerfile, check your application-level @@ -166,8 +167,8 @@ a repository. To disable scanning: 1. Log into your [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} account. -2. Select **Repositories** from the main menu and select a repository from the +2. Go to **Repositories** from the main menu and select a repository from the list. -3. Select the **Settings** tab. +3. Go to the **Settings** tab. 4. Under **Image insight settings**, select **None**. 5. Select **Save**.