-
Notifications
You must be signed in to change notification settings - Fork 8.4k
dhi: apply scout policy #25564
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
craig-osterhout
wants to merge
4
commits into
docker:main
Choose a base branch
from
craig-osterhout:dhi-local-policy-enforce
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+193
−79
Open
dhi: apply scout policy #25564
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,115 +1,226 @@ | ||
| --- | ||
| title: Enforce Docker Hardened Image usage with policies | ||
| linktitle: Enforce image usage | ||
| description: Learn how to use image policies with Docker Scout for Docker Hardened Images. | ||
| title: Apply Docker Hardened Image policies to your images | ||
| linktitle: Apply image policies | ||
| description: Learn how to hold your own images to Docker Hardened Image security and compliance standards using the Docker Scout CLI. | ||
| weight: 50 | ||
| keywords: docker scout policies, enforce image compliance, container security policy, image provenance, vulnerability policy check | ||
| keywords: docker scout policies, image security policy, container compliance, dhi policies, vulnerability policy check | ||
| --- | ||
|
|
||
| When you have a Docker Hardened Images Enterprise subscription, mirroring a | ||
| Docker Hardened Image (DHI) repository automatically enables [Docker | ||
| Scout](/scout/), allowing you to start enforcing security and compliance | ||
| policies for your images without additional setup. Using Docker Scout policies, | ||
| you can define and apply rules that ensure only approved and secure images, such | ||
| as those based on DHIs, are used across your environments. | ||
| Docker publishes the set of security and compliance policies that Docker | ||
| Hardened Images (DHIs) are built to meet, so you can hold your own images to the | ||
| same standards. You evaluate images against these policies with the | ||
| [`docker scout policy`](../../scout/policy/local.md) command. | ||
|
|
||
| These policies encode requirements such as running as a non-root user, being | ||
| free of fixable critical and high vulnerabilities, containing no embedded | ||
| malware or secrets, and shipping signed supply chain attestations. They don't | ||
| verify whether an image is a DHI or built on a DHI base image; they check | ||
| whether an image meets the same bar that DHIs are held to. | ||
|
|
||
| Unlike the built-in Docker Scout policies, the DHI policies aren't embedded in | ||
| the CLI. They're maintained as Rego source in the | ||
| [`docker-hardened-images/policies`](https://github.com/docker-hardened-images/policies) | ||
| repository and published as an OCI policy bundle at | ||
| [`dhi/policies`](https://hub.docker.com/repository/docker/dhi/policies/general). | ||
| You pull the bundle at evaluation time with the `--policy-bundle` flag, so you | ||
| can apply DHI standards locally, in CI, or both, without sending any data to the | ||
| Docker Scout service. | ||
|
|
||
| ## Policies in the DHI bundle | ||
|
|
||
| The `dhi/policies` bundle includes the following policies: | ||
|
|
||
| | Policy | Policy name | What it checks | | ||
| | --- | --- | --- | | ||
| | No default root user for non-dev images | `dhi-default-non-root-user` | The image is configured to run as a non-root user. | | ||
| | No fixable vulnerabilities past their remediation SLA | `fixable-vulnerabilities` | No fixable CVEs remain unaddressed past their remediation SLA (7 days for critical and high, 30 days for others). | | ||
| | No high-profile vulnerabilities | `high-profile-vulnerabilities` | The image is free of a curated list of well-known CVEs, optionally including the CISA KEV catalog. | | ||
| | No embedded malware | `dhi-no-embedded-malware` | A malware scan attestation is present and passing. | | ||
| | No embedded secrets | `dhi-no-embedded-secrets` | A secret scan attestation is present and passing. | | ||
| | No failing tests | `dhi-no-failing-tests` | A test attestation is present and passing. | | ||
| | Signed supply chain attestations | `dhi-signed-supply-chain-attestations` | SBOM and provenance attestations are attached and signed. | | ||
| | Unintentional shell or package manager | `dhi-unintentional-shell-or-package-manager` | No undeclared shell or package manager is present in the image. | | ||
| | STIG scan | `dhi-stig-scan-score` | For FIPS-compliant images, the STIG scan meets the required score. | | ||
|
|
||
| The **Policy name** is the stable ID you reference in a `--policy-config` file to | ||
| enable, disable, or tune a policy. | ||
|
|
||
| For the authoritative list and the Rego source for each policy, see the | ||
| [`docker-hardened-images/policies`](https://github.com/docker-hardened-images/policies) | ||
| repository. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| - The [Docker Scout CLI plugin](/manuals/scout/install.md). It's included with | ||
| Docker Desktop. | ||
| - Access to pull the `dhi/policies` bundle from Docker Hub. Authentication uses | ||
| your existing Docker registry credentials, so sign in first: | ||
|
|
||
| ```console | ||
| $ docker login | ||
| ``` | ||
|
|
||
| ## Evaluate an image against the DHI policies | ||
|
|
||
| To evaluate an image against the DHI policy bundle, pass the bundle reference to | ||
| `docker scout policy` with the `--policy-bundle` flag: | ||
|
|
||
| Docker Scout includes a dedicated **Valid Docker Hardened Image (DHI) or DHI | ||
| base | ||
| image** | ||
| policy type that validates whether your images are Docker Hardened Images or are | ||
| built using a DHI as the base image. This policy checks for valid Docker signed | ||
| verification summary attestations. | ||
|
|
||
| With policy evaluation built into Docker Scout, you can monitor image compliance | ||
| in real time, integrate checks into your CI/CD workflows, and maintain | ||
| consistent standards for image security and provenance. | ||
|
|
||
| ## View existing policies | ||
|
|
||
| To see the current policies applied to a mirrored DHI repository: | ||
|
|
||
| 1. Go to the mirrored DHI repository in [Docker Hub](https://hub.docker.com). | ||
| 2. Select **View on Scout**. | ||
|
|
||
| This opens the [Docker Scout dashboard](https://scout.docker.com), where you | ||
| can see which policies are currently active and whether your images meet the | ||
| policy criteria. | ||
|
|
||
| Docker Scout automatically evaluates policy compliance when new images are | ||
| pushed. Each policy includes a compliance result and a link to the affected | ||
| images and layers. | ||
|
|
||
| ## Evaluate DHI policy compliance for your images | ||
|
|
||
| When you enable Docker Scout for your repositories, you can configure the | ||
| **Valid Docker Hardened Image (DHI) or DHI base | ||
| image** | ||
| policy. This optional policy validates whether your images are DHIs or built with DHI | ||
| base images by checking for Docker signed verification summary attestations. | ||
| ```console | ||
| $ docker scout policy <image> --policy-bundle dhi/policies:latest | ||
| ``` | ||
|
|
||
| The following example shows how to build an image using a DHI base image and | ||
| evaluate its compliance with the DHI policy. | ||
| The CLI pulls the bundle, indexes the image into an SBOM, enriches it with CVE | ||
| and VEX data, and evaluates each policy in the bundle against that data. Bundles | ||
| are cached by digest, so re-running against the same bundle doesn't re-download | ||
| it. | ||
|
|
||
| ### Example: Build and evaluate a DHI-based image | ||
|
|
||
| The following example builds an image from a DHI base image and evaluates it | ||
| against the DHI policy bundle. | ||
|
|
||
| #### Step 1: Use a DHI base image in your Dockerfile | ||
|
|
||
| Create a Dockerfile that uses a Docker Hardened Image mirrored repository as the | ||
| base. For example: | ||
| Create a Dockerfile that uses a Docker Hardened Image from the DHI catalog as | ||
| the base. For example: | ||
|
|
||
| ```dockerfile | ||
| # Dockerfile | ||
| FROM <your-namespace>/dhi-python:3.13-alpine3.21 | ||
| FROM dhi.io/python:3.13 | ||
|
|
||
| ENTRYPOINT ["python", "-c", "print('Hello from a DHI-based image')"] | ||
| ``` | ||
|
|
||
| #### Step 2: Build and push the image | ||
| #### Step 2: Build the image | ||
|
|
||
| Open a terminal and navigate to the directory containing your Dockerfile. Then, | ||
| build and push the image to your Docker Hub repository: | ||
| build the image and load it into your local image store: | ||
|
|
||
| ```console | ||
| $ docker build \ | ||
| --push \ | ||
| -t <your-namespace>/my-dhi-app:v1 . | ||
| $ docker build --load -t my-dhi-app:v1 . | ||
| ``` | ||
|
|
||
| #### Step 3: Enable Docker Scout | ||
| #### Step 3: Evaluate the image against the DHI policies | ||
|
|
||
| To enable Docker Scout for your organization and the repository, run the | ||
| following commands in your terminal: | ||
| Sign in and evaluate the local image against the DHI policy bundle: | ||
|
|
||
| ```console | ||
| $ docker login | ||
| $ docker scout enroll <your-namespace> | ||
| $ docker scout repo enable --org <your-namespace> <your-namespace>/my-dhi-app | ||
| $ docker scout policy my-dhi-app:v1 \ | ||
| --policy-bundle dhi/policies:latest | ||
| ``` | ||
|
|
||
| #### Step 4: Configure the DHI policy | ||
| The command prints a compliance result for each policy in the bundle, along with | ||
| the details of any violations. | ||
|
|
||
| ## Customize the DHI policies | ||
|
|
||
| You can tune which policies run and their thresholds with a `--policy-config` | ||
| file. The | ||
| [`docker-hardened-images/policies`](https://github.com/docker-hardened-images/policies) | ||
| repository includes an example `config.json` you can start from. | ||
|
|
||
| ```console | ||
| $ docker scout policy my-dhi-app:v1 \ | ||
| --policy-bundle dhi/policies:latest \ | ||
| --policy-config ./config.json | ||
| ``` | ||
|
|
||
| Once Docker Scout is enabled, you can configure the **Valid Docker Hardened | ||
| Image (DHI) or DHI base image** policy for your organization: | ||
| The config file matches policies by the **Policy name** listed in | ||
| [Policies in the DHI bundle](#policies-in-the-dhi-bundle) and lets you disable | ||
| individual policies or adjust their settings. For example, the following config | ||
| disables the STIG scan policy and only flags critical fixable vulnerabilities: | ||
|
|
||
| ```json | ||
| { | ||
| "policies": [ | ||
| { | ||
| "name": "dhi-stig-scan-score", | ||
| "enabled": false | ||
| }, | ||
| { | ||
| "name": "fixable-vulnerabilities", | ||
| "config": { | ||
| "severities": ["CRITICAL"] | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
|
|
||
| 1. Go to the [Docker Scout dashboard](https://scout.docker.com). | ||
| 2. Select your organization and navigate to **Policies**. | ||
| 3. Configure the **Valid Docker Hardened Image (DHI) or DHI base image** policy | ||
| to enable it for your repositories. | ||
| For the full config file format, see | ||
| [Configure built-in policies](../../scout/policy/local.md#configure-built-in-policies). | ||
|
|
||
| For more information on configuring policies, see | ||
| [Configure policies](../../scout/policy/dashboard.md). | ||
| You can also combine the DHI bundle with the built-in Docker Scout policies, | ||
| additional bundles, or your own custom Rego files. `--policy-bundle`, | ||
| `--policy-file`, and `--policy-dir` are all repeatable: | ||
|
|
||
| #### Step 5: View policy compliance | ||
| ```console | ||
| $ docker scout policy my-dhi-app:v1 \ | ||
| --policy-bundle dhi/policies:latest \ | ||
| --policy-file ./custom.rego | ||
| ``` | ||
|
|
||
| Once the DHI policy is configured and active, you can view compliance results: | ||
| For more on authoring custom policies and combining policy sources, see | ||
| [Evaluate policies](../../scout/policy/local.md). | ||
|
|
||
| ## Enforce policy compliance in CI | ||
|
|
||
| Use the [Docker Scout GitHub Action](https://github.com/docker/scout-action) to | ||
| evaluate the DHI policies on every push and fail the workflow when an image | ||
| doesn't meet them. The following workflow builds the image, then evaluates it | ||
| against the DHI policy bundle: | ||
|
|
||
| ```yaml | ||
| name: DHI policy check | ||
|
|
||
| on: | ||
| push: | ||
|
|
||
| env: | ||
| IMAGE_NAME: my-dhi-app:${{ github.sha }} | ||
|
|
||
| jobs: | ||
| policy: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check out the repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Log in to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKER_USER }} | ||
| password: ${{ secrets.DOCKER_PAT }} | ||
|
|
||
| - name: Build the image | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: . | ||
| load: true | ||
| tags: ${{ env.IMAGE_NAME }} | ||
|
|
||
| - name: Evaluate DHI policies | ||
| uses: docker/scout-action@v1.23.1 | ||
|
craig-osterhout marked this conversation as resolved.
|
||
| with: | ||
| command: policy | ||
| image: ${{ env.IMAGE_NAME }} | ||
| policy-bundle: dhi/policies:latest | ||
| exit-code: true | ||
| ``` | ||
|
|
||
| 1. Go to the [Docker Scout dashboard](https://scout.docker.com). | ||
| 2. Select your organization and navigate to **Images**. | ||
| 3. Find your image, `<your-namespace>/my-dhi-app:v1`, and select the link in the **Compliance** column. | ||
| The `docker/login-action` step authenticates with Docker Hub so the runner can | ||
| pull the DHI base image and the `dhi/policies` bundle. Store your Docker Hub | ||
| username and a [personal access token](/manuals/security/access-tokens.md) as the | ||
| `DOCKER_USER` and `DOCKER_PAT` repository secrets. | ||
|
|
||
| This shows the policy compliance results for your image. The **Valid Docker | ||
| Hardened Image (DHI) or DHI base image** policy evaluates whether your image has | ||
| a valid Docker signed verification summary attestation or if its base image has | ||
| such an attestation. | ||
| Set `exit-code: true` to fail the step when any policy isn't met. The | ||
| `policy-bundle` input accepts a comma-separated list of bundles, and you can | ||
| combine it with the `policy-file`, `policy-dir`, and `policy-config` inputs, the | ||
|
craig-osterhout marked this conversation as resolved.
|
||
| same as the CLI flags. | ||
|
|
||
| You can now [evaluate policy compliance in your CI](/scout/policy/ci/). | ||
| For more on running policy evaluation in CI, see | ||
| [Evaluate policies](../../scout/policy/local.md#use-in-ci). | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.