mirror of https://github.com/docker/docs.git
205 lines
6.9 KiB
Markdown
205 lines
6.9 KiB
Markdown
---
|
|
description: Learn about vulnerability scanning and Docker Scout image analysis in Docker Hub.
|
|
keywords: scanning, vulnerabilities, Hub, static
|
|
title: Image security insights
|
|
weight: 70
|
|
aliases:
|
|
- /docker-hub/vulnerability-scanning/
|
|
---
|
|
|
|
Strengthen the security of your Docker images with Docker Hub's image security
|
|
insights. Docker Hub lets you perform either point-in-time static vulnerability
|
|
scanning or always up-to-date image analysis using Docker Scout.
|
|
|
|
## Docker Scout image analysis
|
|
|
|
After turning on Docker Scout image analysis, Docker Scout automatically
|
|
analyzes images in your Docker Hub repository.
|
|
|
|
Image analysis extracts the Software Bill of Material (SBOM) and other image
|
|
metadata, and evaluates it against vulnerability data from security advisories.
|
|
|
|
The following sections describe how to turn on or off Docker Scout image
|
|
analysis for a Docker Hub repository. For more details about the image analysis,
|
|
see [Docker Scout](/manuals/scout/_index.md).
|
|
|
|
### Turn on Docker Scout image analysis
|
|
|
|
1. Sign in to [Docker Hub](https://hub.docker.com).
|
|
2. Select **My Hub** > **Repositories**.
|
|
|
|
A list of your repositories appears.
|
|
|
|
3. Select a repository.
|
|
|
|
The **General** page for the repository appears.
|
|
|
|
4. Select the **Settings** tab.
|
|
5. Under **Image security insight settings**, select **Docker Scout image analysis**.
|
|
6. Select **Save**.
|
|
|
|
### Turn off Docker Scout image analysis
|
|
|
|
1. Sign in to [Docker Hub](https://hub.docker.com).
|
|
2. Select **My Hub** > **Repositories**.
|
|
|
|
A list of your repositories appears.
|
|
|
|
3. Select a repository.
|
|
|
|
The **General** page for the repository appears.
|
|
|
|
4. Select the **Settings** tab.
|
|
5. Under **Image security insight settings**, select **None**.
|
|
6. Select **Save**.
|
|
|
|
|
|
## Static vulnerability scanning
|
|
|
|
> [!NOTE]
|
|
>
|
|
> Docker Hub static vulnerability scanning requires a Docker Pro, Team, or
|
|
> Business subscription.
|
|
|
|
When you push an image to a Docker Hub repository after turning on static
|
|
scanning, Docker Hub automatically scans the image to identify vulnerabilities.
|
|
The scan results shows the security state of your images at the time when the
|
|
scan was run.
|
|
|
|
Scan results include:
|
|
|
|
- The source of the vulnerability, such as Operating System (OS) packages and
|
|
libraries
|
|
- The version in which it was introduced
|
|
- A recommended fixed version, if available, to remediate the vulnerabilities
|
|
discovered.
|
|
|
|
### Changes to static scanning in Docker Hub
|
|
|
|
From February 27th, 2023, Docker changed the technology that supports the
|
|
Docker Hub static scanning feature. The static scanning is now powered natively
|
|
by Docker, instead of a third-party.
|
|
|
|
As a result of this change, scanning now detects vulnerabilities at a more
|
|
granular level than before. This in turn means that vulnerability reports may
|
|
show a higher number of vulnerabilities. If you used vulnerability scanning
|
|
before February 27th, 2023, you may see that new vulnerability reports list a
|
|
higher number of vulnerabilities, due to a more thorough analysis.
|
|
|
|
There is no action required on your part. Scans continue to run as usual
|
|
with no interruption or changes to pricing. Historical data continues to be
|
|
available.
|
|
|
|
### Turn on static vulnerability scanning
|
|
|
|
Repository owners and administrators can enable static vulnerability scanning
|
|
on a repository. If you are a member of a Team or a Business subscription,
|
|
ensure the repository you would like to enable scanning on is part of the Team
|
|
or a Business tier.
|
|
|
|
When scanning is active on a repository, anyone with push access can trigger a
|
|
scan by pushing an image to Docker Hub.
|
|
|
|
To enable static vulnerability scanning:
|
|
|
|
> [!NOTE]
|
|
>
|
|
> Static vulnerability scanning supports scanning images which are of AMD64
|
|
> architecture, Linux OS, and are less than 10 GB in size.
|
|
|
|
1. Sign in to [Docker Hub](https://hub.docker.com).
|
|
2. Select **My Hub** > **Repositories**.
|
|
|
|
A list of your repositories appears.
|
|
|
|
3. Select a repository.
|
|
|
|
The **General** page for the repository appears.
|
|
|
|
4. Select the **Settings** tab.
|
|
5. Under **Image security insight settings**, select **Static scanning**.
|
|
6. Select **Save**.
|
|
|
|
### Scan an image
|
|
|
|
To scan an image for vulnerabilities, push the image to Docker Hub, to the
|
|
repository for which you have turned on scanning.
|
|
|
|
### View the vulnerability report
|
|
|
|
To view the vulnerability report:
|
|
|
|
1. Sign in to [Docker Hub](https://hub.docker.com).
|
|
2. Select **My Hub** > **Repositories**.
|
|
|
|
A list of your repositories appears.
|
|
|
|
3. Select a repository.
|
|
|
|
The **General** page for the repository appears.
|
|
It may take a couple of minutes for the vulnerability report to appear in
|
|
your repository.
|
|
|
|
|
|
|
|
4. Select the **Tags** tab, then **Digest**, then **Vulnerabilities** to view the
|
|
detailed scan report.
|
|
|
|
The scan report displays vulnerabilities identified by the scan, sorting them
|
|
according to their severity, with highest severity listed at the top. It
|
|
displays information about the package that contains the vulnerability, the
|
|
version in which it was introduced, and whether the vulnerability is fixed in
|
|
a later version.
|
|
|
|
|
|
|
|
For more information on this view, see
|
|
[Image details view](/manuals/scout/explore/image-details-view.md).
|
|
|
|
### Inspect vulnerabilities
|
|
|
|
The vulnerability report sorts vulnerabilities based on their severity. It
|
|
displays information about the package that contains the vulnerability, the
|
|
version in which it was introduced, and whether the vulnerability has been fixed
|
|
in a later version.
|
|
|
|
The vulnerability scan report also allows development teams and security leads
|
|
to compare the vulnerability counts across tags to see whether the
|
|
vulnerabilities are decreasing or increasing over time.
|
|
|
|
### Fix vulnerabilities
|
|
|
|
Once a list of vulnerabilities have been identified, there are a couple of
|
|
actions you can take to remediate the vulnerabilities. For example, you can:
|
|
|
|
1. Specify an updated base image in the Dockerfile, check your application-level
|
|
dependencies, rebuild the Docker image, and then push the new image to Docker
|
|
Hub.
|
|
2. Rebuild the Docker image, run an update command on the OS packages, and push
|
|
a newer version of image to Docker Hub.
|
|
3. Edit the Dockerfile to manually remove or update specific libraries that
|
|
contain vulnerabilities, rebuild the image, and push the new image to Docker
|
|
Hub
|
|
|
|
Docker Scout can provide you with concrete and contextual remediation steps for
|
|
improving image security. For more information, see
|
|
[Docker Scout](/manuals/scout/_index.md).
|
|
|
|
### Turn off static vulnerability scanning
|
|
|
|
Repository owners and administrators can disable static vulnerability scanning
|
|
on a repository. To disable scanning:
|
|
|
|
1. Sign in to [Docker Hub](https://hub.docker.com).
|
|
2. Select **My Hub** > **Repositories**.
|
|
|
|
A list of your repositories appears.
|
|
|
|
3. Select a repository.
|
|
|
|
The **General** page for the repository appears.
|
|
|
|
4. Select the **Settings** tab.
|
|
5. Under **Image security insight settings**, select **None**.
|
|
6. Select **Save**.
|