Reputation: 91
How to secure public docker hub images?
I am trying push docker image to docker hub in public repo. How I can make it secure for end users like maintaining the integrity of image etc. What are the best security practices to be followed while pushing image in public docker hub repository?
Upvotes: 3
Views: 2352
Answers (1)
Reputation: 11950
Option One:
You can check Creating an Official Image section which says:
From a high level, an Official Image starts out as a proposal in the form of a set of GitHub pull requests. Detailed and objective proposal requirements are documented in the following GitHub repositories:
The Official Images team, with help from community contributors, formally review each proposal and provide feedback to the author. This initial review process may require a bit of back-and-forth before the proposal is accepted.
There are also subjective considerations during the review process. These subjective concerns boil down to the basic question: “is this image generally useful?” For example, the python Official Image is “generally useful” to the larger Python developer community, whereas an obscure text adventure game written in Python last week is not.
Once a new proposal is accepted, the author is responsible for keeping their images up-to-date and responding to user feedback. The Official Repositories team becomes responsible for publishing the images and documentation on Docker Hub. Updates to the Official Image follow the same pull request process, though with less review. The Official Images team ultimately acts as a gatekeeper for all changes, which helps mitigate the risk of quality and security issues from being introduced.
Option Two:
This is a paid service if you are using a private repository
Use Docker Security Scanning for your public images. From their docs:
Docker Cloud and Docker Hub can scan images in private repositories to verify that they are free from known security vulnerabilities or exposures, and report the results of the scan for each image tag.
Regarding the Security of the Public Docker Images itself:
Docker images don't go through a security audit or testing process. So its preferred to use the official images as the non-official images might be vulnerable or contain malicious binaries according to an article published about year ago that talks about around 17 malicious images belongs to one user, these images were listed on the Docker Hub portal right away, where they remained active between May 2017 and May 2018 when the Docker team finally intervened to pull them down. If you intend to use a non-official image. you can use it at your own risk.
Links that you might want to check:
Upvotes: 1
Related Questions
- How to access private docker hub image?
- Running docker securely
- Pushing images to docker hub
- Security of a Docker image
- Docker push image to Hub
- How to prevent docker images on docker hub from being overwritten?
- Docker security concerns using unofficial images
- Limiting access to Docker Hub
- Securing docker containers
- How do you know that public Docker images are secure?