docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/docker-hub/vulnerability-scanning.md

6.7 KiB
Raw Blame History

description keywords title
Hub Basic vulnerability scanning scanning, vulnerabilities, Hub, basic Basic vulnerability scanning

Note

Hub Vulnerability Scanning requires a Docker Pro, Team, or Business subscription.

Docker Hub vulnerability scanning lets you automatically scan Docker images for vulnerabilities.

When you push an image to a Docker Hub repository after turning on vulnerability scanning, Docker Hub automatically scans the image to identify vulnerabilities. Vulnerability Scanning lets you review the security state of your images and take actions to fix issues identified during the scan, resulting in more secure deployments.

Scan results include:

  • The source of the vulnerability, such as Operating System (OS) packages and libraries
  • The version which introduced the vulnerability
  • A recommended fixed version (if available) to remediate the vulnerabilities discovered.

Changes to vulnerability scanning in Docker Hub

From February 27th, 2023, Docker began rolling out changes to the technology that supports the Docker Hub Vulnerability Scanning feature. Docker Hub Vulnerability Scanning is now powered natively by Docker, instead of a third-party.

As a result of this change, scanning now detects vulnerabilities at a more granular level than before. This in turn means that vulnerability reports may show a higher number of vulnerabilities. If you used vulnerability scanning before February 27th, 2023, you may see that new vulnerability reports list a higher number of vulnerabilities, due to a more thorough analysis.

There is no action required on your part. Scans will continue to run as usual with no interruption or changes to pricing. Historical data continues to be available.

This page describes the Basic Hub vulnerability scanning feature. Docker Scout also supports an Advanced image analysis feature that provides more in-depth results and guided remediation steps for improving your security posture.

Scan images with Basic vulnerability scanning

Repository owners and administrators of a Docker Pro, Team, or a Business tier can toggle Basic vulnerability scanning. When scanning is active on a repository, anyone with push access can trigger a scan by pushing an image to Docker Hub.

Additionally, repository owners in a Docker Pro subscription and team members in a Team, or a Business subscription can view the detailed scan reports.

Image types supported

Basic vulnerability scanning supports scanning images which are of AMD64 architecture, Linux OS, and are less than 10 GB in size.

Turn on Basic vulnerability scanning

Repository owners and administrators can enable Basic vulnerability scanning on a repository. If you are a member of a Team or a Business subscription, ensure the repository you want to enable scanning on is part of the Team or a Business tier.

To enable Basic vulnerability scanning:

  1. Log into your Docker Hub{: target="blank" rel="noopener" class=""} account.
  2. Select Repositories from the main menu and select a repository from the list.
  3. Select the Settings tab.
  4. Under Image insight settings, select Basic Hub vulnerability scanning.
  5. Select Save.

Scan an image

To scan an image for vulnerabilities, push to the repository for the image to Docker Hub which you have turned on scanning:

  1. Ensure you have installed Docker locally. See Get Docker to download and install Docker on your local machine.

  2. Use the command line to log into your Docker account. See docker login for more information.

  3. Tag the image to scan. For example, to tag a Redis image, run:

    $ docker tag redis <your-Docker-ID>/<your-repo-name>:latest

  4. Push the image to Docker Hub to trigger Basic vulnerability scanning on the image:

    $ docker push <your-Docker-ID>/<your-repo-name>:latest

View the vulnerability report

To view the vulnerability report:

  1. Go to Docker Hub{: target="blank" rel="noopener" class=""} and open the repository page to view a summary of the Basic vulnerability scanning report.

    It may take a couple of minutes for the vulnerability report to appear in your repository.

    Vulnerability scan report{:width="700px"}

  2. Select the Tags tab > Digest > Vulnerabilities to view the detailed scan report.

    The scan report displays the vulnerabilities identified, sorting them according to their severity, with highest severity listed at the top. It displays information about the package that contains the vulnerability, the version that introduced it, and whether a later version fixes the vulnerability.

    Vulnerability scan details{:width="700px"}

For more information on this view, see Image details view.

Inspect vulnerabilities

The scan report displays the vulnerabilities identified, sorting them according to their severity, with highest severity listed at the top. It displays information about the package that contains the vulnerability, the version that introduced it, and whether a later version fixes the vulnerability.

The vulnerability scan report helps development teams and security leads to compare the vulnerability counts across tags to see whether the vulnerabilities are decreasing or increasing over time.

Fix vulnerabilities

Once you have identified a list of vulnerabilities, there are a couple of actions you can take to remediate the vulnerabilities. For example, you can:

  1. Specify an updated base image in the Dockerfile, check your application-level dependencies, rebuild the Docker image, and then push the new image to Docker Hub.
  2. Rebuild the Docker image, run an update command on the OS packages, and push a newer version of image to Docker Hub.
  3. Edit the Dockerfile to manually remove or update specific libraries that contain vulnerabilities, rebuild the image, and push the new image to Docker Hub

Docker Scout can provide you with concrete and contextual remediation steps for improving image security. For more information, see Docker Scout.

Turn off Basic vulnerability scanning

Repository owners and administrators can disable Basic vulnerability scanning on a repository. To disable scanning:

  1. Log into your Docker Hub{: target="blank" rel="noopener" class=""} account.
  2. Select Repositories from the main menu and select a repository from the list.
  3. Select the Settings tab.
  4. Under Image insight settings, select None.
  5. Select Save.