This page presents a compilation of good Docker security resources. The content here is living – it will be updated frequently. Please check back here often for the latest updates (updated on Feb 22, 2016).
First, a few basic resources
- Docker: https://www.docker.com
- CIS Docker 1.6 benchmark: This CIS document defines the best practices for configuration for Docker and the Linux host, with two different levels of security guarantees.
- “Containers do not contain”: This is the original post by Dan Walsh of Red hat where he explained why “containers do not contain”.
Specific Docker Concepts
What is Docker Hub?
Docker Hub is a free, cloud-hosted image registry run by Docker. It provides developers with storage for public and private content. With Docker Hub, a developer can easily publish and distribute images that they produce. To date, Docker Hub has supported over 1.4 billion image pulls. Here is more info on Docker Hub.
Docker Trusted Registry
Docker Trusted Registry is Docker’s enterprise version of the Docker Hub. You can run Trusted Registry on premises or in your virtual private cloud to support security or compliance requirements., Here is Docker’s Trusted Registry page. Unlike Docker Hub, which is open source, Trusted Registry is a subscription-based product sold by Docker.
Official Docker Repository
Official repositories are a curated set of Docker images that are digitally signed and validated by a dedicated team of Docker maintainers. Official images are typically commonly used applications, such as ubuntu, nginx, MongoDB, and mySql. You can explore the official repository here.
Docker’s built-in security features
What is Docker Content Trust?
Content Trust is a mechanism for users to verify the integrity of Docker images. Before a publisher pushes an image to a registry, Docker Engine signs the image locally with the publisher’s private key. When a user later pulls this image, the Docker Engine can use the publisher’s public key to verify that the image has not been tampered with since created by the publisher. Content trust is a touch-to-sign system that uses a hardware USB YobiKey to sign during initial development and subsequent updates. Here is the Docker blog on Content Trust. Content Trust utilizes Docker Notary and The Update Framework.
What is Docker Notary?
The Docker Notary project is a framework that allows anyone to securely publish and access content (e.g., Docker images) over a potentially insecure network. Docker Notary allows a user to digitally sign and verify content. It protects against content forgery and replay attacks. This is Docker’s way to allow secure, lightweight, modern software distribution. Here is the Docker blog on Docker Notary, and the Github link to Docker Notary.
What is Docker Project Nautilus?
Nautilus is Docker’s image scanning capability, which can examine images in the Docker Hub to help vulnerabilities that may exist in Docker containers. Today Nautilus only works with Docker Hub. It does not support private or on-premises registries. This Youtube video by Docker explains some of the Nautilus features.
Docker AuthZ Plugins
The native Docker access control is all or nothing – you either have access to all Docker resources or none. AuthZ framework is Twistlock‘s contribution to the Docker code base. AuthZ allows anyone to write an authorization plugin for Docker to provide fine-grained access control to Docker resources. Here is the Github page on AuthZ. Also read Twistlock’s blog & Docker’s blog on AuthZ. Twistlock also open sourced an AuthZ plugin implementation here.
Other resources: Here is a good Q&A with Docker on the various Docker security resources features.
- Docker Security
Real World Security: Software Supply Chain – Dockercon EU 2017 Session
Modern App Security Requires Containers – Dockercon EU 2017 Panel
Get Stronger Security through Containers and Machine Learning – Dockercon EU 2017 session
Companion Guide to NIST SP 800-190 on Container Security
The Proactive Security Paradigm