ENGDOCS-1558 (#18419)

* initial structure

* move security announcements page

* PAT and 2FA content move

* fix broken links and adjust landing page cards with moved topics

* fix links

* move enforce sign in content and update landing page

* move enforce sign in content and update landing page

* fix build

* fix image

* move domain audit content

* add domain audit to grid

* move RAM and IAM

* landing page

* more landing page development

* fix links

* fix links

* fix toc

* move scout

* move scout

content/admin/company/settings/domains.md

@@ -1,13 +0,0 @@
----
-description: Domain management in Docker Admin
-keywords: domains, SCIM, SSO, Docker Admin
-title: Domain management
----
-
-{{< include "admin-early-access.md" >}}
-
-Use domain management to manage your domains for Single Sign-On and SCIM.
-
-## Add and verify a domain
-
-{{% admin-domains product="admin" layer="company" %}}

content/admin/organization/image-access.md

@@ -1,9 +0,0 @@
----
-description: Image Access Management
-keywords: image, access, management
-title: Image Access Management
----
-
-{{< include "admin-early-access.md" >}}
-
-{{% admin-image-access product="admin" %}}

content/admin/organization/registry-access.md

@@ -1,9 +0,0 @@
----
-description: Registry Access Management
-keywords: registry, access, management
-title: Registry Access Management
----
-
-{{< include "admin-early-access.md" >}}
-
-{{% admin-registry-access product="admin" %}}

content/admin/organization/security-settings/domains.md

@@ -1,17 +0,0 @@
----
-description: Domain management in Docker Admin
-keywords: domains, SCIM, SSO, Docker Admin, domain audit
-title: Domain management
----
-
-{{< include "admin-early-access.md" >}}
-
-Use domain management to manage your domains for Single Sign-On and SCIM, as well as audit your domains for uncaptured users.
-
-## Add and verify a domain
-
-{{% admin-domains product="admin" layer="organization" %}}
-
-## Domain audit
-
-{{% admin-domain-audit product="admin" %}}

content/build/hydrobuild.md

@@ -323,7 +323,7 @@ mkdir -vp ~/.docker/cli-plugins/
 curl --silent -L --output ~/.docker/cli-plugins/docker-buildx $BUILDX_URL
 chmod a+x ~/.docker/cli-plugins/docker-buildx
 
-# Login to Docker Hub. For security reasons $DOCKER_PASS should be a Personal Access Token. See https://docs.docker.com/docker-hub/access-tokens/
+# Login to Docker Hub. For security reasons $DOCKER_PASS should be a Personal Access Token. See https://docs.docker.com/security/for-developers/access-tokens/
 echo "$DOCKER_PASS" | docker login --username $DOCKER_USER --password-stdin
 
 # Connect to your builder and set it as the default builder

content/cloud/ecs-integration.md

@@ -216,7 +216,7 @@ For your convenience, the Docker Compose CLI offers the `docker secret` command,
 
 First, create a `token.json` file to define your DockerHub username and access token.
 
-For instructions on how to generate access tokens, see [Managing access tokens](../docker-hub/access-tokens.md).
+For instructions on how to generate access tokens, see [Managing access tokens](../security/for-developers/access-tokens.md)
 
 ```json
 {

content/desktop/faqs/general.md

@@ -48,7 +48,7 @@ This includes:
 
 - The resources in the [Learning Center](../use-desktop/index.md)
 - Pulling or pushing an image to Docker Hub
-- [Image Access Management](../../docker-hub/image-access-management.md)
+- [Image Access Management](../../security/for-developers/access-tokens.md)
 - [Vulnerability scanning](../../docker-hub/vulnerability-scanning.md)
 - Viewing remote images in the Docker Dashboard
 - Setting up [Dev Environments](../dev-environments/index.md)

content/desktop/get-started.md

@@ -35,7 +35,7 @@ Once signed in, you can access your Docker Hub repositories directly from Docker
 
 Authenticated users also get a higher pull rate limit compared to anonymous users. For example, if you are authenticated, you get 200 pulls per 6 hour period, compared to 100 pulls per 6 hour period per IP address for anonymous users. For more information, see [Download rate limit](../docker-hub/download-rate-limit.md).
 
-In large enterprises where admin access is restricted, administrators can [Configure registry.json to enforce sign-in](../docker-hub/configure-sign-in.md). Enforcing developers to authenticate through Docker Desktop also allows administrators to improve their organization’s security posture for containerized development by taking advantage of [Hardened Desktop](hardened-desktop/index.md).
+In large enterprises where admin access is restricted, administrators can [Configure registry.json to enforce sign-in](../security/for-admins/configure-sign-in.md). Enforcing developers to authenticate through Docker Desktop also allows administrators to improve their organization’s security posture for containerized development by taking advantage of [Hardened Desktop](hardened-desktop/index.md).
 
 > **Note**
 >

content/desktop/hardened-desktop/_index.md

@@ -16,11 +16,11 @@ grid:
   - title: "Registry Access Management"
     description: Control the registries developers can access while using Docker Desktop.
     icon: "home_storage"
-    link: "/desktop/hardened-desktop/registry-access-management/"
+    link: "/security/for-admins/registry-access-management/"
   - title: "Image Access Management"
     description: Control the images developers can pull from Docker Hub.
     icon: "photo_library"
-    link: "/docker-hub/image-access-management/"
+    link: "/security/for-admins/image-access-management/"
 ---
 
 >Note

content/desktop/hardened-desktop/enhanced-container-isolation/_index.md

@@ -21,7 +21,7 @@ These techniques include:
 
 When Enhanced Container Isolation is enabled, these mechanisms are applied automatically and with minimal functional or performance impact to developers. Developers continue to use Docker Desktop as usual, but the containers they launch are more strongly isolated.
 
-Enhanced Container Isolation ensures stronger container isolation and also locks in any security configurations that have been created by IT admins, for instance through [Registry Access Management policies](../registry-access-management.md) or with [Settings Management](../settings-management/index.md).
+Enhanced Container Isolation ensures stronger container isolation and also locks in any security configurations that have been created by IT admins, for instance through [Registry Access Management policies](../../../security/for-admins/registry-access-management.md) or with [Settings Management](../settings-management/index.md).
 
 >**Note**
 >
@@ -90,7 +90,7 @@ To enable Enhanced Container Isolation as a developer:
 
 #### As an admin
 
-To enable Enhanced Container Isolation as an admin, you first need to [configure a `registry.json` file to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because the Enhanced Container Isolation feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+To enable Enhanced Container Isolation as an admin, you first need to [configure a `registry.json` file to enforce sign-in](../../../security/for-admins/configure-sign-in.md). This is because the Enhanced Container Isolation feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
 Next, you must [create and configure the `admin-settings.json` file](../settings-management/configure.md) and specify:
 

content/desktop/hardened-desktop/image-access-management.md

@@ -1,7 +0,0 @@
----
-description: Image Access Management
-keywords: image, access, management
-title: Image Access Management
----
-
-{{% admin-image-access product="hub" %}}

content/desktop/hardened-desktop/registry-access-management.md

@@ -1,10 +0,0 @@
----
-description: What Registry Access Management is and how to use it
-keywords: registry access management, Hardened Docker Desktop, Docker Desktop, images,
-  Docker Hub
-title: Registry Access Management
-aliases:
-- /docker-hub/registry-access-management/
----
-
-{{% admin-registry-access product="hub" %}}

content/desktop/hardened-desktop/settings-management/_index.md

@@ -44,7 +44,7 @@ For more details on the syntax and options admins can set, see [Configure Settin
 
 ### How do I set up and enforce Settings Management?
 
-As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because the Settings Management feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../security/for-admins/configure-sign-in.md). This is because the Settings Management feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
 Next, you must either manually [create and configure the admin-settings.json file](configure.md), or use the `--admin-settings` installer flag on [macOS](../../install/mac-install.md#install-from-the-command-line) or [Windows](../../install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location.
 

content/desktop/hardened-desktop/settings-management/configure.md

@@ -15,7 +15,7 @@ Settings Management is designed specifically for organizations who don’t give
 ### Prerequisites
 
 - [Download and install Docker Desktop 4.13.0 or later](../../release-notes.md).
-- As an admin, you need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+- As an admin, you need to [configure a registry.json to enforce sign-in](../../../security/for-admins/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
 ### Step one: Create the `admin-settings.json` file and save it in the correct location
 

content/docker-hub/_index.md

@@ -17,10 +17,6 @@ grid:
   description: Step-by-step instructions on getting started on Docker Hub.
   icon: explore
   link: /docker-hub/quickstart
-- title: Manage access tokens
-  description: Create personal access tokens as an alternative to your password.
-  icon: password
-  link: /docker-hub/access-tokens
 - title: Release notes
   description: Find out about new features, improvements, and bug fixes.
   icon: note_add
@@ -51,7 +47,7 @@ GitHub and Bitbucket and push them to Docker Hub.
 * Use [Group mapping](group-mapping.md)
 * [Carry out domain audits](domain-audit.md)
 * [Use Image Access Management](image-access-management.md) to control developers' access to certain types of images
-* [Turn on Registry Access Management](../desktop/hardened-desktop/registry-access-management.md)
+* [Turn on Registry Access Management](../security/for-admins/registry-access-management.md)
 {{< /tab >}}
 {{< /tabs >}}
 

content/docker-hub/admin-overview.md

@@ -11,24 +11,12 @@ grid:
   icon: explore
   link: /docker-hub/onboard/
   description: Learn how to onboard users to your organization.
-- title: Use Hardened Docker Desktop
-  icon: lock
-  link: /desktop/hardened-desktop/
-  description: Explore the security model for Docker Desktop.
-- title: Enforce sign-in
-  description: Configure sign-in for members of your teams and organizations.
-  link: /docker-hub/configure-sign-in/
-  icon: passkey
 - title: Enable Single Sign-On
   description: Understand and use Single Sign-On.
   link: /single-sign-on/
   icon: key
-- title: Set up two-factor authentication
-  description: Add an extra layer of authentication to your Docker account.
-  link: /docker-hub/2fa/
-  icon: phonelink_lock
 ---
 
-Sign in to Docker Hub to change account settings and carry out administrative or security-related tasks. 
+Sign in to Docker Hub to change account settings and carry out administrative related tasks. 
 
 {{< grid >}}

content/docker-hub/api/latest.yaml

@@ -62,7 +62,7 @@ tags:
     x-displayName: Personal Access Tokens
     description: |
       The Personal Access Token endpoints lets you manage personal access tokens. For more 
-      information, see [Access Tokens](https://docs.docker.com/docker-hub/access-tokens/).
+      information, see [Access Tokens](https://docs.docker.com/security/for-developers/access-tokens/).
 
       You can use a personal access token instead of a password in the [Docker CLI](https://docs.docker.com/engine/reference/commandline/cli/) 
       or in the [Create an authentication token](#operation/PostUsersLogin) route to obtain a bearer 

content/docker-hub/domain-audit.md

@@ -1,7 +0,0 @@
----
-description: Audit your domains for uncaptured users.
-keywords: domain audit, security
-title: Domain audit
----
-
-{{% admin-domain-audit product="hub" %}}

content/docker-hub/general-faqs.md

@@ -1,6 +1,6 @@
 ---
 title: General FAQs for Docker Hub
-description: Frequently asked administration and security questions
+description: Frequently asked administration questions
 keywords: onboarding, docker, teams, orgs
 redirect:
 - /docker-hub/onboarding-faqs/

content/docker-hub/image-access-management.md

@@ -1,7 +0,0 @@
----
-description: Image Access Management
-keywords: image, access, management
-title: Image Access Management
----
-
-{{% admin-image-access product="hub" %}}

content/docker-hub/organization-faqs.md

@@ -29,9 +29,9 @@ No. Organization owners can invite users through email and also choose a team fo
 
 ### Can I force my organization's members to authenticate before using Docker Desktop and are there any benefits?
 
-Yes. You can [enforce sign-in](../docker-hub/configure-sign-in.md) and some benefits are:
+Yes. You can [enforce sign-in](../security/for-admins/configure-sign-in.md) and some benefits are:
 
-- Administrators can enforce features like [Image Access Management](../docker-hub/image-access-management.md) and [Registry Access Management](../docker-hub/registry-access-management.md).
+- Administrators can enforce features like [Image Access Management](../security/for-admins/image-access-management.md) and [Registry Access Management](../security/for-admins/registry-access-management.md).
  - Administrators can ensure compliance by blocking Docker Desktop usage for users who do not sign in as members of the organization.
 
 ### If a user has their personal email associated with a user account in Docker Hub, do they have to convert to using the org’s domain before they can be invited to join an organization?

content/docker-hub/registry-access-management.md

@@ -1,7 +0,0 @@
----
-description: Registry Access Management
-keywords: registry, access, management
-title: Registry Access Management
----
-
-{{% admin-registry-access product="hub" %}}

content/docker-hub/release-notes.md

@@ -38,7 +38,7 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro
 
 ### New
 
-- The new [domain audit](../docker-hub/domain-audit.md) feature lets you audit your domains for users who aren't a member of your organization.
+- The new domain audit feature lets you audit your domains for users who aren't a member of your organization.
 
 
 ## 2022-09-26
@@ -51,7 +51,7 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro
 
 ### Bug fixes and enhancements
 
-- In Docker Hub, you can now download a [registry.json](../docker-hub/configure-sign-in.md) file or copy the commands to create a registry.json file to enforce sign-in for your organization.
+- In Docker Hub, you can now download a [registry.json](../security/for-admins/configure-sign-in.md) file or copy the commands to create a registry.json file to enforce sign-in for your organization.
 
 ## 2022-09-19
 
@@ -188,7 +188,7 @@ to `hub.docker.com`. You can access the page at its new URL: [https://hub.docker
 ## 2019-10-21
 
 ### New features
-* **Beta:** Docker Hub now supports [two-factor authentication (2FA)](2fa/index.md). Enable it in your account settings, under the **[Security](https://hub.docker.com/settings/security)** section.
+* **Beta:** Docker Hub now supports two-factor authentication (2FA). Enable it in your account settings, under the **[Security](https://hub.docker.com/settings/security)** section.
 
     > If you lose both your 2FA authentication device and recovery code, you may
     > not be able to recover your account.

content/docker-id/_index.md

@@ -45,7 +45,7 @@ You can also sign in through the CLI using the `docker login` command. For more
 > When you use the `docker login` command, your credentials are
 stored in your home directory in `.docker/config.json`. The password is base64-encoded in this file.
 >
-> We recommend using one of the [Docker credential helpers](https://github.com/docker/docker-credential-helpers) for secure storage of passwords. For extra security, you can also use a [personal access token](../docker-hub/access-tokens.md) to log in instead, which is still encoded in this file (without a Docker credential helper) but doesn't allow admin actions (such as changing the password).
+> We recommend using one of the [Docker credential helpers](https://github.com/docker/docker-credential-helpers) for secure storage of passwords. For extra security, you can also use a [personal access token](../security/for-developers/access-tokens.md) to log in instead, which is still encoded in this file (without a Docker credential helper) but doesn't allow admin actions (such as changing the password).
 { .warning }
 
 ## Troubleshooting

content/includes/admin-early-access.md

@@ -2,5 +2,5 @@
 >
 > Docker Admin is an [early access](/release-lifecycle#early-access-ea) product.
 >
-> It's currently available to all company owners and organization owners that have a Docker Business or Docker Team subscription. You can still manage companies and organizations in Docker Hub. For details about managing companies or organizations in Docker Hub, see [Administration and security](/docker-hub/admin-overview/).
+> It's currently available to all company owners and organization owners that have a Docker Business or Docker Team subscription. You can still manage companies and organizations in Docker Hub. For details about managing companies or organizations in Docker Hub, see [Administration](/docker-hub/admin-overview/).
 { .restricted }

content/includes/gha-tutorial.md

@@ -23,7 +23,7 @@ Create a GitHub repository and configure the Docker Hub secrets.
 3. Create a new secret named `DOCKERHUB_USERNAME` and your Docker ID as value.
 
 4. Create a new
-   [Personal Access Token (PAT)](/docker-hub/access-tokens/#create-an-access-token)
+   [Personal Access Token (PAT)](/security/for-developers/access-tokens/#create-an-access-token)
    for Docker Hub. You can name this token `clockboxci`.
 
 5. Add the PAT as a second secret in your GitHub repository, with the name

content/language/dotnet/configure-ci-cd.md

@@ -28,7 +28,7 @@ Create a GitHub repository, configure the Docker Hub secrets, and push your sour
 3. Create a new secret named `DOCKER_USERNAME` and your Docker ID as value.
 
 4. Create a new [Personal Access Token
-   (PAT)](/docker-hub/access-tokens/#create-an-access-token) for Docker Hub. You
+   (PAT)](/security/for-developers/access-tokens/#create-an-access-token) for Docker Hub. You
    can name this token `tutorial-docker`.
 
 5. Add the PAT as a second secret in your GitHub repository, with the name

content/language/nodejs/configure-ci-cd.md

@@ -28,7 +28,7 @@ Create a GitHub repository, configure the Docker Hub secrets, and push your sour
 3. Create a new secret named `DOCKER_USERNAME` and your Docker ID as value.
 
 4. Create a new [Personal Access Token
-   (PAT)](/docker-hub/access-tokens/#create-an-access-token) for Docker Hub. You
+   (PAT)](/security/for-developers/access-tokens/#create-an-access-token) for Docker Hub. You
    can name this token `node-docker`.
 
 5. Add the PAT as a second secret in your GitHub repository, with the name

content/security/_index.md

@@ -0,0 +1,74 @@
+---
+description: Learn about security features Docker has to offer and explore best practices
+keywords: docker, docker hub, docker desktop, security
+title: Security
+grid_admins:
+- title: Settings Management
+  description: Learn how Settings Management can secure your developers' workflows.
+  icon: shield_locked
+  link: /desktop/hardened-desktop/settings-management/
+- title: Enhanced Container Isolation
+  description: Understand how Enhanced Container Isolation can prevent container attacks.
+  icon: security
+  link: /desktop/hardened-desktop/enhanced-container-isolation/
+- title: Registry Access Management
+  description: Control the registries developers can access while using Docker Desktop.
+  icon: home_storage
+  link: /security/for-admins/registry-access-management/
+- title: Image Access Management
+  description: Control the images developers can pull from Docker Hub.
+  icon: photo_library
+  link: /security/for-admins/image-access-management/
+- title: Enforce sign-in
+  description: Configure sign-in for members of your teams and organizations.
+  link: /security/for-admins/configure-sign-in/
+  icon: passkey
+- title: Domain audit
+  description: Identify uncaptured users in your organization.
+  link: /security/for-admins/domain-audit/
+  icon: person_search
+- title: Docker Scout
+  description: Explore how Docker Scout can help you create a more secure software supply chain.
+  icon: query_stats
+  link: /scout/
+grid_developers: 
+- title: Set up two-factor authentication
+  description: Add an extra layer of authentication to your Docker account.
+  link: /security/for-developers/2fa/
+  icon: phonelink_lock
+- title: Manage access tokens
+  description: Create personal access tokens as an alternative to your password.
+  icon: password
+  link: /security/for-developers/access-tokens/
+- title: Static vulnerability scanning
+  description: Automatically run a point-in-time scan on your Docker images for vulnerabilities.
+  icon: image_search
+  link: /docker-hub/vulnerability-scanning/
+- title: Docker Engine security
+  description: Understand how to keep Docker Engine secure.
+  icon: security
+  link: /engine/security/
+- title: Secrets in Docker Compose
+  description: Learn how to use secrets in Docker Compose.
+  icon: privacy_tip
+  link: /compose/use-secrets/
+---
+
+Docker provides security guardrails for both administrators and developers. 
+
+If you are an administrator, you can enforce sign in across Docker products for your developers, and 
+scale, manage, and secure your instances of Docker Desktop with DevOps security controls like Enhanced Container Isolation and Registry Access Management. 
+
+For both administrators and developers, Docker provides security-specific products such as Docker Scout, for securing your software supply chain with proactive image vulnerability monitoring and remediation strategies. 
+
+## For administrators
+
+Explore the security features Docker offers to satisfy your company's security policies.
+
+{{< grid grid_admins >}} 
+
+## For developers
+
+See how you can protect your local environments, infrastructure, and networks without impeding productivity.
+
+{{< grid grid_developers >}}  

content/security/for-admins/configure-sign-in.md

@@ -3,13 +3,15 @@ description: Configure registry.json to enforce users to sign into Docker Deskto
 toc_max: 2
 keywords: authentication, registry.json, configure,
 title: Enforce sign-in for Desktop
+aliases:
+- /docker-hub/configure-sign-in/
 ---
 
 By default, members of your organization can use Docker Desktop without signing
 in. When users don’t sign in as a member of your organization, they don’t
 receive the [benefits of your organization’s
-subscription](../subscription/details.md) and they can circumvent [Docker’s
-security features](../desktop/hardened-desktop/_index.md) for your organization.
+subscription](../../subscription/details.md) and they can circumvent [Docker’s
+security features](../../desktop/hardened-desktop/_index.md) for your organization.
 
 To ensure members of your organization always sign in, you can deploy a
 `registry.json` configuration file to the machines of your users.
@@ -21,7 +23,7 @@ following occurs:
 
 - The following **Sign in required!** prompt appears requiring the user to sign
   in as a member of your organization to use Docker Desktop. ![Enforce Sign-in
-  Prompt](./images/enforce-sign-in.png?w=400)
+  Prompt](../images/enforce-sign-in.png?w=400)
 - When a user signs in to an account that isn’t a member of your organization,
   they will be automatically signed out and can’t use Docker Desktop. The user
   can select **Sign in** and try again.
@@ -35,13 +37,13 @@ following occurs:
 > Enforcing sign-in to Docker Desktop isn't the same as enforcing SSO. To ensure
 > that your users always sign in using their SSO credentials, you must also
 > enforce SSO. For more details, see [Single Sign-On
-> overview](../single-sign-on/_index.md).
+> overview](../../single-sign-on/_index.md).
 
 
 ## Create a registry.json file to enforce sign-in
 
 1. Ensure that the user is a member of your organization in Docker. For more
-details, see [Manage members](https://docs.docker.com/docker-hub/members/).
+details, see [Manage members](../../docker-hub/members.md).
 
 2. Create the `registry.json` file.
 

content/security/for-admins/domain-audit.md

@@ -0,0 +1,45 @@
+---
+description: Audit your domains for uncaptured users.
+keywords: domain audit, security
+title: Domain audit
+aliases:
+- /docker-hub/domain-audit/
+- /admin/company/settings/domains/
+- /admin/organization/security-settings/domains/
+---
+
+Domain audit identifies uncaptured users in an organization. Uncaptured users are Docker users who have authenticated to Docker using an email address associated with one of your verified domains, but they're not a member of your organization in Docker. You can audit domains on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/).
+
+Uncaptured users who access Docker Desktop in your environment may pose a security risk because your organization's security settings, like Image Access Management and Registry Access Management, aren't applied to a user's session. In addition, you won't have visibility into the activity of uncaptured users. You can add uncaptured users to your organization to gain visibility into their activity and apply your organization's security settings.
+
+Domain audit can't identify the following Docker users in your environment:
+
+- Users who access Docker Desktop without authenticating
+- Users who authenticate using an account that doesn't have an email address associated with one of your verified domains
+
+Although domain audit can't identify all Docker users in your environment, you can enforce sign-in to prevent unidentifiable users from accessing Docker Desktop in your environment. For more details about enforcing sign-in, see [Configure registry.json to enforce sign-in](configure-sign-in.md).
+
+## Prerequisites
+
+Before you audit your domains, the following prerequisites are required:
+
+- Your organization must be part of a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../../subscription/upgrade.md).
+- You must add and verify your domains.
+
+## Audit your domains for uncaptured users
+
+{{< tabs >}}
+{{< tab name="Docker Hub" >}}
+
+{{% admin-domain-audit product="hub" %}}
+
+{{< /tab >}}
+{{< tab name="Docker Admin" >}}
+
+{{< include "admin-early-access.md" >}}
+
+{{% admin-domain-audit product="admin" %}}
+
+{{< /tab >}}
+{{< /tabs >}}
+

content/security/for-admins/image-access-management.md

@@ -0,0 +1,38 @@
+---
+description: Image Access Management
+keywords: image, access, management
+title: Image Access Management
+aliases:
+- /docker-hub/image-access-management/
+- /desktop/hardened-desktop/image-access-management/
+- /admin/organization/image-access/
+---
+
+> Note
+>
+> Image Access Management is available to [Docker Business](../../subscription/details.md) customers only.
+
+Image Access Management gives administrators control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, their developers can pull from Docker Hub.
+
+For example, a developer, who is part of an organization, building a new containerized application could accidentally use an untrusted, community image as a component of their application. This image could be malicious and pose a security risk to the company. Using Image Access Management, the organization owner can ensure that the developer can only access trusted content like Docker Official Images, Docker Verified Publisher Images, or the organization’s own images, preventing such a risk.
+
+## Prerequisites
+
+You need to [configure a registry.json to enforce sign-in](configure-sign-in.md). For Image Access Management to take effect, Docker Desktop users must authenticate to your organization.
+
+## Configure Image Access Management permissions
+
+{{< tabs >}}
+{{< tab name="Docker Hub" >}}
+
+{{% admin-image-access product="hub" %}}
+
+{{< /tab >}}
+{{< tab name="Docker Admin" >}}
+
+{{< include "admin-early-access.md" >}}
+
+{{% admin-image-access product="admin" %}}
+
+{{< /tab >}}
+{{< /tabs >}}

content/security/for-admins/registry-access-management.md

@@ -0,0 +1,60 @@
+---
+description: Registry Access Management
+keywords: registry, access, management
+title: Registry Access Management
+aliases:
+- /desktop/hardened-desktop/registry-access-management/
+- /admin/organization/registry-access/
+---
+
+> Note
+>
+> Registry Access Management is available to [Docker Business](../../subscription/details.md) customers only. 
+
+With Registry Access Management (RAM), administrators can ensure that their developers using Docker Desktop only access registries that are allowed. This is done through the Registry Access Management dashboard on Docker Hub. 
+
+Registry Access Management supports both cloud and on-prem registries. Example registries administrators can allow include: 
+ - Docker Hub. This is enabled by default.
+ - Amazon ECR
+ - GitHub Container Registry
+ - Google Container Registry
+ - Nexus
+ - Artifactory
+
+## Prerequisites 
+
+You need to [configure a registry.json to enforce sign-in](/docker-hub/configure-sign-in/). For Registry Access Management to take effect, Docker Desktop users must authenticate to your organization.
+
+## Configure Registry Access Management permissions
+
+{{< tabs >}}
+{{< tab name="Docker Hub" >}}
+
+{{% admin-registry-access product="hub" %}}
+
+{{< /tab >}}
+{{< tab name="Docker Admin" >}}
+
+{{< include "admin-early-access.md" >}}
+
+{{% admin-registry-access product="admin" %}}
+
+{{< /tab >}}
+{{< /tabs >}}
+
+## Verify the restrictions
+
+The new Registry Access Management policy takes effect after the developer successfully authenticates to Docker Desktop using their organization credentials. If a developer attempts to pull an image from a disallowed registry via the Docker CLI, they receive an error message that the organization has disallowed this registry.
+
+## Caveats
+
+There are certain limitations when using Registry Access Management; they are as follows:
+
+- Windows image pulls, and image builds are not restricted
+- Builds such as `docker buildx` using a Kubernetes driver are not restricted
+- Builds such as `docker buildx` using a custom docker-container driver are not restricted
+- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull”
+- WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series)
+- Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel)
+
+Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop.

content/security/for-developers/2fa/_index.md

@@ -3,6 +3,8 @@ description: Enabling two-factor authentication on Docker Hub
 keywords: Docker, docker, registry, security, Docker Hub, authentication, two-factor
   authentication
 title: Enable two-factor authentication for Docker Hub
+aliases:
+- /docker-hub/2fa/
 ---
 
 Two-factor authentication adds an extra layer of security to your Docker Hub

content/security/for-developers/2fa/disable-2fa.md

@@ -3,6 +3,8 @@ description: Disable two-factor authentication on Docker Hub
 keywords: Docker, docker, registry, security, Docker Hub, authentication, two-factor
   authentication
 title: Disable two-factor authentication on Docker Hub
+aliases: 
+- /docker-hub/2fa/disable-2fa/
 ---
 
 > **Warning**

content/security/for-developers/2fa/new-recovery-code.md

@@ -3,6 +3,8 @@ description: Generate a new 2fa recovery code
 keywords: Docker, docker, registry, security, Docker Hub, authentication, two-factor
   authentication
 title: Generate a new recovery code
+aliases:
+- /docker-hub/2fa/new-recovery-code/
 ---
 
 If you have lost your two-factor authentication recovery code and still have

content/security/for-developers/2fa/recover-hub-account.md

@@ -3,6 +3,8 @@ description: Recover your Docker account
 keywords: Docker, docker, registry, security, Docker Hub, authentication, two-factor
   authentication
 title: Recover your Docker account
+aliases:
+- /docker-hub/2fa/recover-hub-account/
 ---
 
 If you have lost access to both your two-factor authentication application and your recovery code:

content/security/for-developers/access-tokens.md

@@ -3,6 +3,8 @@ title: Create and manage access tokens
 description: Learn how to create and manage your personal Docker Hub access tokens
   to securely push and pull images programmatically.
 keywords: docker hub, hub, security, PAT, personal access token
+aliases: 
+- /docker-hub/access-tokens/
 ---
 
 If you are using the [Docker Hub CLI](https://github.com/docker/hub-tool#readme)

content/single-sign-on/enforcement-faqs.md

@@ -18,7 +18,7 @@ Yes. You must verify a domain before using it with an SSO connection.
 
 ### Does Docker SSO support authenticating through the command line?
 
-Yes. When SSO is enforced, you can access the Docker CLI through Personal Access Tokens (PATs).  Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](../docker-hub/access-tokens.md).
+Yes. When SSO is enforced, you can access the Docker CLI through Personal Access Tokens (PATs).  Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](../security/for-developers/access-tokens.md).
 
 ### How does SSO affect our automation systems and CI/CD pipelines?
 
@@ -60,5 +60,5 @@ No. They are different features that you can use separately or together.
 Enforcing SSO ensures that users sign in using their SSO credentials instead of their Docker ID. One of the benefits is that SSO enables you to better manage user credentials.
 
 Enforcing sign-in to Docker Desktop ensures that users always sign in to an
-account that's a member of your organization. The benefits are that your organization's security settings are always applied to the user's session and your users always receive the benefits of your subscription. For more details, see [Enforce sign-in for Desktop](../docker-hub/configure-sign-in.md).
+account that's a member of your organization. The benefits are that your organization's security settings are always applied to the user's session and your users always receive the benefits of your subscription. For more details, see [Enforce sign-in for Desktop](../security/for-admins/configure-sign-in.md).
 

content/single-sign-on/users-faqs.md

@@ -32,7 +32,7 @@ If users attempt to sign in through the CLI, they must authenticate using a pers
 
 ### Is it possible to force users of Docker Desktop to authenticate, and/or authenticate using their company’s domain?
 
-Yes. Admins can force users to authenticate with Docker Desktop by provisioning a [`registry.json`](../docker-hub/configure-sign-in.md) configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file.
+Yes. Admins can force users to authenticate with Docker Desktop by provisioning a [`registry.json`](../security/for-admins/configure-sign-in.md) configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file.
 
 Once SSO enforcement is set up on their Docker Business organization or company on Hub, when the user is forced to authenticate with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password).
 

content/subscription/details.md

@@ -13,7 +13,7 @@ Docker Personal (formerly Docker Free) is ideal for open-source communities, ind
 Docker Personal includes:
 
 - Unlimited public repositories
-- Unlimited [Scoped Access Tokens](../docker-hub/access-tokens.md)
+- Unlimited [Scoped Access Tokens](../security/for-developers/access-tokens.md)
 - Unlimited [collaborators](../docker-hub/repos/access/index.md#collaborators-and-their-role) for public repositories at no cost per month.
 
 Additionally, anonymous users get 100 pulls every 6 hours and users that sign in to Docker get 200 pulls every 6 hours. 
@@ -55,8 +55,8 @@ For a list of features available in each tier, see [Docker Pricing](https://www.
 Docker Business includes:
 - Everything included in Docker Team
 - [Hardened Docker Desktop](../desktop/hardened-desktop/index.md) 
-- [Image Access Management](../docker-hub/image-access-management.md) which lets admins control what content developers can access
-- [Registry Access Management](../desktop/hardened-desktop/registry-access-management.md) which lets admins control what registries developers can access
+- [Image Access Management](../security/for-admins/image-access-management.md) which lets admins control what content developers can access
+- [Registry Access Management](../security/for-admins/registry-access-management.md) which lets admins control what registries developers can access
 - [Company layer](../docker-hub/creating-companies.md) to manage multiple organizations and settings
 - [Single Sign-On](../single-sign-on/index.md)
 - [System for Cross-domain Identity Management](../docker-hub/scim.md) and more.

data/redirects.yml

@@ -81,7 +81,7 @@
 # provide a short, permanent link to refer to a topic in the documentation.
 # For example, the docker CLI can output https://docs.docker.com/go/some-topic
 # in its help output, which can be redirected to elsewhere in the documentation.
-"/docker-hub/access-tokens/":
+"/security/for-developers/access-tokens/":
   - /go/access-tokens/
 "/desktop/mac/apple-silicon/":
   - /go/apple-silicon/

data/toc.yaml

@@ -1200,10 +1200,6 @@ Manuals:
             title: Key features and benefits
           - path: /desktop/hardened-desktop/enhanced-container-isolation/faq/
             title: FAQs and known issues
-        - path: /desktop/hardened-desktop/registry-access-management/
-          title: Registry Access Management
-        - path: /desktop/hardened-desktop/image-access-management/
-          title: Image Access Management
     - sectiontitle: Dev Environments (Beta)
       section:
         - path: /desktop/dev-environments/
@@ -2058,8 +2054,6 @@ Manuals:
       title: Manage users
     - path: /admin/company/owners/
       title: Manage company owners
-    - path: /admin/company/settings/domains/
-      title: Domain management
     - sectiontitle: SSO & SCIM
       section:
       - path: /admin/company/settings/sso/
@@ -2083,14 +2077,8 @@ Manuals:
       title: Manage members
     - path: /admin/organization/activity-logs/
       title: Activity logs
-    - path: /admin/organization/image-access/
-      title: Image Access Management
-    - path: /admin/organization/registry-access/
-      title: Registry Access Management
     - path: /admin/organization/general-settings/
       title: General settings
-    - path: /admin/organization/security-settings/domains/
-      title: Domain management
     - sectiontitle: SSO & SCIM
       section:
       - path: /admin/organization/security-settings/sso/
@@ -2104,7 +2092,7 @@ Manuals:
       - path: /admin/organization/security-settings/group-mapping/
         title: Group mapping
 
-- sectiontitle: Administration and security
+- sectiontitle: Administration 
   section:
   - path: /docker-hub/admin-overview/
     title: Overview
@@ -2140,30 +2128,42 @@ Manuals:
     title: SCIM
   - path: /docker-hub/group-mapping/
     title: Group mapping
-  - sectiontitle: Security and authentication
-    section:
-      - path: /docker-hub/access-tokens/
-        title: Create and manage access tokens
-      - sectiontitle: Two-factor authentication
-        section:
-          - path: /docker-hub/2fa/
-            title: Enable two-factor authentication
-          - path: /docker-hub/2fa/disable-2fa/
-            title: Disable two-factor authentication
-          - path: /docker-hub/2fa/recover-hub-account/
-            title: Recover your Docker Hub account
-          - path: /docker-hub/2fa/new-recovery-code/
-            title: Generate a new recovery code
-  - path: /docker-hub/configure-sign-in/
-    title: Enforce sign-in for Desktop
   - path: /docker-hub/audit-log/
     title: Audit logs
-  - path: /docker-hub/domain-audit/
-    title: Domain audit
-  - path: /docker-hub/image-access-management/
-    title: Image Access Management
   - path: /docker-hub/deactivate-account/
     title: Deactivate an account or organization
+
+- sectiontitle: Security
+  section:
+  - path: /security/
+    title: Overview
+  - sectiontitle: For admins
+    section:
+    - path: /security/for-admins/configure-sign-in/
+      title: Enforce sign in
+    - path: /security/for-admins/domain-audit/
+      title: Domain audit
+    - path: /security/for-admins/image-access-management/
+      title: Image Access Management
+    - path: /security/for-admins/registry-access-management/
+      title: Registry Access Management
+  - sectiontitle: For developers
+    section:
+    - path: /security/for-developers/access-tokens/
+      title: Create and manage access tokens
+    - sectiontitle: Two-factor authentication
+      section:
+      - path: /security/for-developers/2fa/
+        title: Enable two-factor authentication 
+      - path: /security/for-developers/2fa/disable-2fa/
+        title: Disable two-factor authentication
+      - path: /security/for-developers/2fa/recover-hub-account/
+        title: Recover your Docker Hub account
+      - path: /security/for-developers/2fa/new-recovery-code/
+        title: Generate a new recovery code
+  - path: /security/security-announcements/
+    title: Security announcements
+
 - sectiontitle: Billing
   section:
   - path: /billing/
@@ -2212,9 +2212,6 @@ Manuals:
   - path: /trusted-content/insights-analytics/
     title: Insights and analytics
 
-- title: Security announcements
-  path: /security/
-
 - sectiontitle: Open-source projects
   section:
   - sectiontitle: Docker Registry

layouts/shortcodes/admin-domain-audit.md

@@ -12,24 +12,6 @@
   {{ $invite_link = "[Invite members](/admin/organization/members/)" }}
 {{ end }}
 
-Domain audit identifies uncaptured users in an organization. Uncaptured users are Docker users who have authenticated to Docker using an email address associated with one of your verified domains, but they're not a member of your organization in Docker. You can audit domains on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/).
-
-Uncaptured users who access Docker Desktop in your environment may pose a security risk because your organization's security settings, like Image Access Management and Registry Access Management, aren't applied to a user's session. In addition, you won't have visibility into the activity of uncaptured users. You can add uncaptured users to your organization to gain visibility into their activity and apply your organization's security settings.
-
-Domain audit can't identify the following Docker users in your environment:
-
-- Users who access Docker Desktop without authenticating
-- Users who authenticate using an account that doesn't have an email address associated with one of your verified domains
-
-Although domain audit can't identify all Docker users in your environment, you can enforce sign-in to prevent unidentifiable users from accessing Docker Desktop in your environment. For more details about enforcing sign-in, see [Configure registry.json to enforce sign-in](/docker-hub/configure-sign-in/).
-
-### Audit your domains for uncaptured users
-
-Before you audit your domains, the following prerequisites are required:
-
-- Your organization must be part of a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/).
-- You must add and verify your domains.
-
 To audit your domains:
 
 1. Sign in to {{ $product_link }}.

layouts/shortcodes/admin-image-access.html

@@ -6,20 +6,6 @@
   {{ $iam_navigation = "Select your organization in the left navigation drop-down menu, and then select **Image Access**." }}
 {{ end }}
 
-> Note
->
-> Image Access Management is available to [Docker Business](/subscription/details/) customers only.
-
-Image Access Management gives administrators control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, their developers can pull from Docker Hub.
-
-For example, a developer, who is part of an organization, building a new containerized application could accidentally use an untrusted, community image as a component of their application. This image could be malicious and pose a security risk to the company. Using Image Access Management, the organization owner can ensure that the developer can only access trusted content like Docker Official Images, Docker Verified Publisher Images, or the organization’s own images, preventing such a risk.
-
-## Prerequisites
-
-You need to [configure a registry.json to enforce sign-in](/docker-hub/configure-sign-in/). For Image Access Management to take effect, Docker Desktop users must authenticate to your organization.
-
-## Configure Image Access Management permissions
-
 1. Sign in to {{ $product_link }}.
 2. {{ $iam_navigation }}
 3. Enable Image Access Management to set the permissions for the following categories of images you can manage:

layouts/shortcodes/admin-registry-access.html

@@ -1,34 +1,12 @@
 {{ $product_link := "[Docker Hub](https://hub.docker.com)" }}
-{{ $ram_navigation := "Select your organization in the left navigation drop-down menu, and then select **Registry Access**." }}
 {{ if eq (.Get "product") "admin" }}
   {{ $product_link = "[Docker Admin](https://admin.docker.com)" }}
-  {{ $ram_navigation = "Select **Organizations**, your organization, **Settings**, and then select **Registry Access**." }}
 {{ end }}
 
-> Note
->
-> Registry Access Management is available to Docker Business customers only. 
-
-With Registry Access Management (RAM), administrators can ensure that their developers using Docker Desktop only access registries that are allowed. This is done through the Registry Access Management dashboard on Docker Hub. 
-
-Registry Access Management supports both cloud and on-prem registries. Example registries administrators can allow include: 
- - Docker Hub. This is enabled by default.
- - Amazon ECR
- - GitHub Container Registry
- - Google Container Registry
- - Nexus
- - Artifactory
-
-## Prerequisites 
-
-You need to [configure a registry.json to enforce sign-in](/docker-hub/configure-sign-in/). For Registry Access Management to take effect, Docker Desktop users must authenticate to your organization.
-
-## Configure Registry Access Management permissions
-
 To configure Registry Access Management permissions, perform the following steps:
 
 1. Sign in to {{ $product_link }}.
-2. {{ $ram_navigation }}
+2. Select **Organizations**, your organization, **Settings**, and then select **Registry Access**.
 3. Enable Registry Access Management to set the permissions for your registry.
 
    > **Note**
@@ -46,20 +24,3 @@ To configure Registry Access Management permissions, perform the following steps
    >
    > Since RAM sets policies about where content can be fetched from, the [ADD](/engine/reference/builder/#add) instruction of the Dockerfile, when the parameter of the ADD instruction is a URL, is also subject to registry restrictions. It's recommended that you add the domains of URL parameters to the list of allowed registry addresses under the Registry Access Management settings of your organization.
    { .tip }
-
-## Verify the restrictions
-
-The new Registry Access Management policy takes effect after the developer successfully authenticates to Docker Desktop using their organization credentials. If a developer attempts to pull an image from a disallowed registry via the Docker CLI, they receive an error message that the organization has disallowed this registry.
-
-## Caveats
-
-There are certain limitations when using Registry Access Management; they are as follows:
-
-- Windows image pulls, and image builds are not restricted
-- Builds such as `docker buildx` using a Kubernetes driver are not restricted
-- Builds such as `docker buildx` using a custom docker-container driver are not restricted
-- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull”
-- WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series)
-- Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel)
-
-Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop.