docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Draft

This commit is contained in:
Chris Chinchilla 2023-04-06 10:14:04 +02:00
parent d75c07c194
commit 7dde6e40c6
4 changed files with 38 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/vale/Vocab/Docker/accept.txt vendored
View File

@ -25,4 +25,5 @@ Swarm Mode
dockerd dockerd
dockerignore dockerignore
Docker Hub Vulnerability Scanning Docker Hub Vulnerability Scanning
Docker Vulnerability Scanning
Basic vulnerability scanning Basic vulnerability scanning

2
docker-hub/publish/index.md
View File

@ -55,7 +55,7 @@ selected time span. Data points include tag, type of pull, user geolocation, cli
## Vulnerability scanning ## Vulnerability scanning
[Docker Scout](/scout/){: [Docker Scout](/scout/){:
target="blank" rel="noopener" class=""} provides automatic vulnerability scanning for images published to Docker Hub. target="blank" rel="noopener" class=""} provides automatic vulnerability scanning for DVP images published to Docker Hub.
Scanning images ensures that the published content is secure, and proves to Scanning images ensures that the published content is secure, and proves to
developers that they can trust the image. You can enable scanning on a per-repository developers that they can trust the image. You can enable scanning on a per-repository
basis, refer to [vulnerability scanning](/docker-hub/vulnerability-scanning/){: basis, refer to [vulnerability scanning](/docker-hub/vulnerability-scanning/){:

32
docker-hub/publish/insights-analytics.md
View File

@ -4,11 +4,13 @@ description: Provides usage statistics of your images on Docker Hub.
keywords: docker hub, hub, insights, analytics, api, verified publisher keywords: docker hub, hub, insights, analytics, api, verified publisher
--- ---
Insights and analytics provides usage analytics for your Docker Verified Insights and analytics provides usage analytics for Docker Verified
Publisher (DVP) images on Docker Hub. With this tool, you have self-serve access Publisher (DVP) images on Docker Hub, providing self-serve access
to metrics as both raw data and summary data for a desired time span. You can to metrics as both raw data and summary data for a desired time span. You can
view number of image pulls by tag or by digest, and get breakdowns by view number of image pulls by tag or by digest, and get breakdowns by
geolocation, cloud provider, client, and more. Head to the geolocation, cloud provider, client, and more.
Head to the
[Docker Verified Publisher Program page](https://www.docker.com/partners/programs/){: target="blank" rel="noopener" class="_" } [Docker Verified Publisher Program page](https://www.docker.com/partners/programs/){: target="blank" rel="noopener" class="_" }
to learn more about the benefits of becoming a verified publisher. to learn more about the benefits of becoming a verified publisher.
@ -42,8 +44,8 @@ This is a convenient way to share statistics with others in your organization.
![Chart share icon](./images/chart-share-icon.png) ![Chart share icon](./images/chart-share-icon.png)
Selecting the icon generates a link that gets copied to your clipboard. The link Selecting the icon generates a link that's copied to your clipboard. The link
preserves the display selections you made. When someone uses the link, the preserves the display selections you made. When someone follows the link, the
**Insights and analytics** page opens and displays the chart with the same **Insights and analytics** page opens and displays the chart with the same
configuration as you had set up when creating the link. configuration as you had set up when creating the link.
@ -58,7 +60,7 @@ Sunday) or monthly format. Monthly data is available from the first day of the
following calendar month. You can import this data into your own systems, or you following calendar month. You can import this data into your own systems, or you
can analyze it manually as a spreadsheet. can analyze it manually as a spreadsheet.
### Export data using the website ### Export data
Export usage data for your organization's images using the Docker Hub website by following these steps: Export usage data for your organization's images using the Docker Hub website by following these steps:
@ -161,16 +163,16 @@ target="_blank" rel="noopener" class="_"}.
| Starting event | Reference | Followed by | Resulting action | Use case(s) | Notes | | Starting event | Reference | Followed by | Resulting action | Use case(s) | Notes |
| :------------- | :-------- | :-------------------------------------------------------------- | :--------------- | :------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | :------------- | :-------- | :-------------------------------------------------------------- | :--------------- | :------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| HEAD | tag | N/A | Version check | User already has all layers existing on local machine | This is similar to the use case of a pull by tag when the user already has all the image layers existing locally, however, it differentiates the user intent and classifies accordingly. | | HEAD | tag | N/A | Version check | User already has all layers existing on local machine | This is similar to the use case of a pull by tag when the user already has all the image layers existing locally, however, it differentiates the user intent and classifies accordingly. |
| GET | tag | N/A | Pull by tag | User already has all layers existing on local machine and/or the image is single-architecture | | GET | tag | N/A | Pull by tag | User already has all layers existing on local machine and/or the image is single-arch |
| GET | tag | Get by different digest | Pull by tag | Image is multi-architecture | Second GET by digest must be different from the first. | | GET | tag | Get by different digest | Pull by tag | Image is multi-arch | Second GET by digest must be different from the first. |
| HEAD | tag | GET by same digest | Pull by tag | Image is multi-architecture but some or all image layers already exist on the local machine | The HEAD by tag sends the most current digest, the following GET must be by that same digest. There may occur an additional GET, if the image is multi-architecture (see the next row in this table). If the user doesn't want the most recent digest, then the user performs HEAD by digest. | | HEAD | tag | GET by same digest | Pull by tag | Image is multi-arch but some or all image layers already exist on the local machine | The HEAD by tag sends the most current digest, the following GET must be by that same digest. There may occur an additional GET, if the image is multi-arch (see the next row in this table). If the user doesn't want the most recent digest, then the user performs HEAD by digest. |
| HEAD | tag | GET by the same digest, then a second GET by a different digest | Pull by tag | Image is multi-architecture | The HEAD by tag sends the most recent digest, the following GET must be by that same digest. Since the image is multi-architecture, there is a second GET by a different digest. If the user doesn't want the most recent digest, then the user performs HEAD by digest. | | HEAD | tag | GET by the same digest, then a second GET by a different digest | Pull by tag | Image is multi-arch | The HEAD by tag sends the most recent digest, the following GET must be by that same digest. Since the image is multi-arch, there is a second GET by a different digest. If the user doesn't want the most recent digest, then the user performs HEAD by digest. |
| HEAD | tag | GET by same digest, then a second GET by different digest | Pull by tag | Image is multi-architecture | The HEAD by tag sends the most current digest, the following GET must be by that same digest. Since the image is multi-architecture, there is a second GET by a different digest. If the user doesn't want the most recent digest, then the user performs HEAD by digest. | | HEAD | tag | GET by same digest, then a second GET by different digest | Pull by tag | Image is multi-arch | The HEAD by tag sends the most current digest, the following GET must be by that same digest. Since the image is multi-arch, there is a second GET by a different digest. If the user doesn't want the most recent digest, then the user performs HEAD by digest. |
| GET | digest | N/A | Pull by digest | User already has all layers existing on local machine and/or the image is single-architecture | | GET | digest | N/A | Pull by digest | User already has all layers existing on local machine and/or the image is single-arch |
| HEAD | digest | N/A | Pull by digest | User already has all layers existing on their local machine | | HEAD | digest | N/A | Pull by digest | User already has all layers existing on their local machine |
| GET | digest | GET by different digest | Pull by digest | Image is multi-architecture | The second GET by digest must be different from the first. | | GET | digest | GET by different digest | Pull by digest | Image is multi-arch | The second GET by digest must be different from the first. |
| HEAD | digest | GET by same digest | Pull by digest | Image is single-architecture and/or image is multi-architecture but some part of the image already exists on the local machine | | HEAD | digest | GET by same digest | Pull by digest | Image is single-arch and/or image is multi-arch but some part of the image already exists on the local machine |
| HEAD | digest | GET by same digest, then a second GET by different digest | Pull by Digest | Image is multi-architecture | | HEAD | digest | GET by same digest, then a second GET by different digest | Pull by Digest | Image is multi-arch |
## Changes in data over time ## Changes in data over time

37
docker-hub/vulnerability-scanning.md
View File

@ -22,7 +22,7 @@ Scan results include:
- The source of the vulnerability, such as Operating System (OS) packages and - The source of the vulnerability, such as Operating System (OS) packages and
libraries libraries
- The version which introduced the vulnerability - The version in which it was introduced
- A recommended fixed version (if available) to remediate the vulnerabilities - A recommended fixed version (if available) to remediate the vulnerabilities
discovered. discovered.
@ -51,14 +51,14 @@ improving your security posture.
## Scan images with Basic vulnerability scanning ## Scan images with Basic vulnerability scanning
Repository owners and administrators of a Docker Pro, Team, or a Business tier Repository owners and administrators of a Docker Pro, Team, or a Business tier
can toggle Basic vulnerability scanning. When scanning is active on a enable and disable Basic vulnerability scanning. When scanning is active on a
repository, anyone with push access can trigger a scan by pushing an image to repository, anyone with push access can trigger a scan by pushing an image to
Docker Hub. Docker Hub.
Additionally, repository owners in a Docker Pro subscription and team members in Additionally, repository owners in a Docker Pro subscription and team members in
a Team, or a Business subscription can view the detailed scan reports. a Team, or a Business subscription can view the detailed scan reports.
> **Image types supported** > **Note**
> >
> Basic vulnerability scanning supports scanning images which are of AMD64 > Basic vulnerability scanning supports scanning images which are of AMD64
> architecture, Linux OS, and are less than 10 GB in size. > architecture, Linux OS, and are less than 10 GB in size.
@ -67,24 +67,24 @@ a Team, or a Business subscription can view the detailed scan reports.
Repository owners and administrators can enable Basic vulnerability scanning on Repository owners and administrators can enable Basic vulnerability scanning on
a repository. If you are a member of a Team or a Business subscription, ensure a repository. If you are a member of a Team or a Business subscription, ensure
the repository you want to enable scanning on is part of the Team or a the repository you would like to enable scanning on is part of the Team or a
Business tier. Business tier.
To enable Basic vulnerability scanning: To enable Basic vulnerability scanning:
1. Log into your [Docker Hub](https://hub.docker.com){: target="_blank" 1. Log into your [Docker Hub](https://hub.docker.com){: target="_blank"
rel="noopener" class="_"} account. rel="noopener" class="_"} account.
2. Select **Repositories** from the main menu and select a repository from the 2. Click **Repositories** from the main menu and select a repository from the
list. list.
3. Select the **Settings** tab. 3. Go to the **Settings** tab.
4. Under **Image insight settings**, select **Basic Hub vulnerability 4. Under **Image insight settings**, select **Basic Hub vulnerability
scanning**. scanning**.
5. Select **Save**. 5. Select **Save**.
### Scan an image ### Scan an image
To scan an image for vulnerabilities, push to the To scan an image for vulnerabilities, push the image to Docker Hub, to the
repository for the image to Docker Hub which you have turned on scanning: repository for which you have turned on scanning:
1. Ensure you have installed Docker locally. See [Get Docker](../get-docker.md) 1. Ensure you have installed Docker locally. See [Get Docker](../get-docker.md)
to download and install Docker on your local machine. to download and install Docker on your local machine.
@ -117,13 +117,14 @@ To view the vulnerability report:
![Vulnerability scan report](images/vuln-scan-report.png){:width="700px"} ![Vulnerability scan report](images/vuln-scan-report.png){:width="700px"}
2. Select the **Tags** tab > **Digest** > **Vulnerabilities** to view the 2. Click on the **Tags** tab > **Digest** > **Vulnerabilities** to view the
detailed scan report. detailed scan report.
The scan report displays the vulnerabilities identified, sorting them The scan report displays vulnerabilities identified by the scan, sorting them
according to their severity, with highest severity listed at the top. It according to their severity, with highest severity listed at the top. It
displays information about the package that contains the vulnerability, the displays information about the package that contains the vulnerability, the
version that introduced it, and whether a later version fixes the vulnerability. version in which it was introduced, and whether the vulnerability is fixed in
a later version.
![Vulnerability scan details](images/vuln-scan-details.png){:width="700px"} ![Vulnerability scan details](images/vuln-scan-details.png){:width="700px"}
@ -132,18 +133,18 @@ For more information on this view, see
### Inspect vulnerabilities ### Inspect vulnerabilities
The scan report displays the vulnerabilities identified, sorting them The vulnerability report sorts vulnerabilities based on their severity. It
according to their severity, with highest severity listed at the top. It
displays information about the package that contains the vulnerability, the displays information about the package that contains the vulnerability, the
version that introduced it, and whether a later version fixes the vulnerability. version in which it was introduced, and whether the vulnerability has been fixed
in a later version.
The vulnerability scan report helps development teams and security leads The vulnerability scan report also allows development teams and security leads
to compare the vulnerability counts across tags to see whether the to compare the vulnerability counts across tags to see whether the
vulnerabilities are decreasing or increasing over time. vulnerabilities are decreasing or increasing over time.
### Fix vulnerabilities ### Fix vulnerabilities
Once you have identified a list of vulnerabilities, there are a couple of Once a list of vulnerabilities have been identified, there are a couple of
actions you can take to remediate the vulnerabilities. For example, you can: actions you can take to remediate the vulnerabilities. For example, you can:
1. Specify an updated base image in the Dockerfile, check your application-level 1. Specify an updated base image in the Dockerfile, check your application-level
@ -166,8 +167,8 @@ a repository. To disable scanning:
1. Log into your [Docker Hub](https://hub.docker.com){: target="_blank" 1. Log into your [Docker Hub](https://hub.docker.com){: target="_blank"
rel="noopener" class="_"} account. rel="noopener" class="_"} account.
2. Select **Repositories** from the main menu and select a repository from the 2. Go to **Repositories** from the main menu and select a repository from the
list. list.
3. Select the **Settings** tab. 3. Go to the **Settings** tab.
4. Under **Image insight settings**, select **None**. 4. Under **Image insight settings**, select **None**.
5. Select **Save**. 5. Select **Save**.