docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/docker-hub/vulnerability-scanning.md

173 lines
6.7 KiB
Markdown
Raw Blame History

---
description: Hub Basic vulnerability scanning
keywords: scanning, vulnerabilities, Hub, basic
title: Basic vulnerability scanning
---
> **Note**
>
> Hub Vulnerability Scanning requires a
> [Docker Pro, Team, or Business subscription](../subscription/index.md).
Docker Hub vulnerability scanning lets you automatically scan Docker images for
vulnerabilities.
When you push an image to a Docker Hub repository after turning on vulnerability
scanning, Docker Hub automatically scans the image to identify vulnerabilities.
Vulnerability Scanning lets you review the security state of your images and
take actions to fix issues identified during the scan, resulting in more secure
deployments.
Scan results include:
- The source of the vulnerability, such as Operating System (OS) packages and
libraries
- The version in which it was introduced
- A recommended fixed version, if available, to remediate the vulnerabilities
discovered.
## Changes to vulnerability scanning in Docker Hub
From February 27th, 2023, Docker began rolling out changes to the technology
that supports the Docker Hub Vulnerability Scanning feature. Docker Hub
Vulnerability Scanning is now powered natively by Docker, instead of a
third-party.
As a result of this change, scanning now detects vulnerabilities at a more
granular level than before. This in turn means that vulnerability reports may
show a higher number of vulnerabilities. If you used vulnerability scanning
before February 27th, 2023, you may see that new vulnerability reports list a
higher number of vulnerabilities, due to a more thorough analysis.
There is no action required on your part. Scans continue to run as usual
with no interruption or changes to pricing. Historical data continues to be
available.
This page describes the Basic Hub vulnerability scanning feature. Docker Scout
also supports an [Advanced image analysis](../scout/advanced-image-analysis.md)
feature that provides more in-depth results and guided remediation steps for
improving your security posture.
## Scan images with Basic vulnerability scanning
Repository owners and administrators of a Docker Pro, Team, or a Business tier
enable and disable Basic vulnerability scanning. When scanning is active on a
repository, anyone with push access can trigger a scan by pushing an image to
Docker Hub.
Additionally, repository owners in a Docker Pro subscription and team members in
a Team, or a Business subscription can view the detailed scan reports.
> **Note**
>
> Basic vulnerability scanning supports scanning images which are of AMD64
> architecture, Linux OS, and are less than 10 GB in size.
### Turn on Basic vulnerability scanning
Repository owners and administrators can enable Basic vulnerability scanning on
a repository. If you are a member of a Team or a Business subscription, ensure
the repository you would like to enable scanning on is part of the Team or a
Business tier.
To enable Basic vulnerability scanning:
1. Sign in to your [Docker Hub](https://hub.docker.com){: target="_blank"
rel="noopener" class="_"} account.
2. Select **Repositories** and then choose a repository.
3. Go to the **Settings** tab.
4. Under **Image insight settings**, select **Basic Hub vulnerability
scanning**.
5. Select **Save**.
### Scan an image
To scan an image for vulnerabilities, push the image to Docker Hub, to the
repository for which you have turned on scanning:
1. Ensure you have installed Docker locally. See [Get Docker](../get-docker.md)
to download and install Docker on your local machine.
2. Use the command line to log into your Docker account. See
[`docker login`](../engine/reference/commandline/login.md) for more
information.
3. Tag the image to scan. For example, to tag a Redis image, run:
```console
$ docker tag redis <your-Docker-ID>/<your-repo-name>:latest
```
4. Push the image to Docker Hub to trigger Basic vulnerability scanning on the
image:
```console
$ docker push <your-Docker-ID>/<your-repo-name>:latest
```
## View the vulnerability report
To view the vulnerability report:
1. Go to [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener"
class="_"} and open the repository page to view a summary of the Basic
vulnerability scanning report.
It may take a couple of minutes for the vulnerability report to appear in
your repository.
![Vulnerability scan report](images/vuln-scan-report.png){:width="700px"}
2. Select the **Tags** tab, then **Digest**, then **Vulnerabilities** to view the
detailed scan report.
The scan report displays vulnerabilities identified by the scan, sorting them
according to their severity, with highest severity listed at the top. It
displays information about the package that contains the vulnerability, the
version in which it was introduced, and whether the vulnerability is fixed in
a later version.
![Vulnerability scan details](images/vuln-scan-details.png){:width="700px"}
For more information on this view, see
[Image details view](../scout/image-details-view.md).
### Inspect vulnerabilities
The vulnerability report sorts vulnerabilities based on their severity. It
displays information about the package that contains the vulnerability, the
version in which it was introduced, and whether the vulnerability has been fixed
in a later version.
The vulnerability scan report also allows development teams and security leads
to compare the vulnerability counts across tags to see whether the
vulnerabilities are decreasing or increasing over time.
### Fix vulnerabilities
Once a list of vulnerabilities have been identified, there are a couple of
actions you can take to remediate the vulnerabilities. For example, you can:
1. Specify an updated base image in the Dockerfile, check your application-level
dependencies, rebuild the Docker image, and then push the new image to Docker
Hub.
2. Rebuild the Docker image, run an update command on the OS packages, and push
a newer version of image to Docker Hub.
3. Edit the Dockerfile to manually remove or update specific libraries that
contain vulnerabilities, rebuild the image, and push the new image to Docker
Hub
Docker Scout can provide you with concrete and contextual remediation steps for
improving image security. For more information, see
[Docker Scout](../scout/index.md).
### Turn off Basic vulnerability scanning
Repository owners and administrators can disable Basic vulnerability scanning on
a repository. To disable scanning:
1. Sign in to your [Docker Hub](https://hub.docker.com){: target="_blank"
rel="noopener" class="_"} account.
2. Go to **Repositories** and then select a repository from the list.
3. Go to the **Settings** tab.
4. Under **Image insight settings**, select **None**.
5. Select **Save**.
Reference in New Issue View Git Blame Copy Permalink