diff --git a/content/manuals/dhi/core-concepts/attestations.md b/content/manuals/dhi/core-concepts/attestations.md index e5f93c39677f..af72fd2e6661 100644 --- a/content/manuals/dhi/core-concepts/attestations.md +++ b/content/manuals/dhi/core-concepts/attestations.md @@ -82,7 +82,7 @@ For more details, see [Verify image attestations](../how-to/verify.md#verify-ima | Scout SBOM | An SBOM generated and signed by Docker Scout, including additional Docker-specific metadata. | | Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys. | | Tests | A record of automated tests run against the image, such as functional checks or validation scripts. | -| Virus scan | Results of antivirus scans performed on the image layers. | +| Virus scan | Results of antivirus scans performed on the image layers. For details, see [Malware scanning](../explore/malware-scanning.md). | | CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data. | | SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the image was built, including build tool, parameters, and source. | | SLSA verification summary | A summary attestation indicating the image's compliance with SLSA requirements. | @@ -130,7 +130,7 @@ For more details, see [Verify Helm chart attestations](../how-to/verify.md#verif | Scout SBOM | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata. | | Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package. | | Tests | A record of automated tests run against the chart to validate functionality and compatibility with referenced images. | -| Virus scan | Results of antivirus scans performed on the chart package. | +| Virus scan | Results of antivirus scans performed on the chart package. For details, see [Malware scanning](../explore/malware-scanning.md). | | CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images. | | SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials. | | SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references. | diff --git a/content/manuals/dhi/explore/_index.md b/content/manuals/dhi/explore/_index.md index 4457e9c7b023..151f73e4fe0d 100644 --- a/content/manuals/dhi/explore/_index.md +++ b/content/manuals/dhi/explore/_index.md @@ -25,6 +25,10 @@ params: description: See how Docker Hardened Images are automatically tested for standards compliance, functionality, and security. icon: science link: /dhi/explore/test/ + - title: Malware scanning + description: Learn how Docker scans Docker Hardened Images for viruses and malware, and how to view and verify the scan attestation. + icon: bug_report + link: /dhi/explore/malware-scanning/ - title: Responsibility overview description: Understand Docker's role and your responsibilities when using Docker Hardened Images as part of your secure software supply chain. icon: group diff --git a/content/manuals/dhi/explore/build-process.md b/content/manuals/dhi/explore/build-process.md index d455ce168a3c..b73b6be23c13 100644 --- a/content/manuals/dhi/explore/build-process.md +++ b/content/manuals/dhi/explore/build-process.md @@ -118,8 +118,10 @@ Each Docker Hardened Image is built through an automated pipeline: projects, improving the code for the entire community. When fixes are accepted upstream, the DHI build pipeline applies the patch immediately to protect customers while the fix moves through the upstream release process. -5. Testing: Images undergo comprehensive testing for compatibility and - functionality. +5. Testing and scanning: Images undergo comprehensive + [testing](test.md) for compatibility and functionality, and are + [scanned for malware](malware-scanning.md), secrets, and + vulnerabilities. 6. Signing and attestations: Docker signs each image and generates attestations (SBOMs, VEX documents, build provenance). 7. Publishing: The signed image is published to the DHI registry and the @@ -144,8 +146,8 @@ The following diagram shows the base image build flow: | v .-------------------. .-------------------. .-------------------. .-------------------. -| Cascade rebuilds |<-----| Publish to |<-----| Sign & generate |<-----| Testing | -| (if needed) | | DHI registry | | attestations | | | +| Cascade rebuilds |<-----| Publish to |<-----| Sign & generate |<-----| Testing & | +| (if needed) | | DHI registry | | attestations | | scanning | '-------------------' '-------------------' '-------------------' '-------------------' ``` @@ -160,9 +162,11 @@ When you customize a DHI image with DHI Select or DHI Enterprise, the build proc DHI image is updated, an automated rebuild starts. 3. Fetch base image: The latest base DHI image is fetched. 4. Apply customizations: Your OCI artifacts are applied to the base image. -5. Signing and attestations: Docker signs the customized image and generates +5. Scanning: The customized image is [scanned for + malware](malware-scanning.md), secrets, and vulnerabilities. +6. Signing and attestations: Docker signs the customized image and generates attestations (SBOMs, VEX documents, build provenance). -6. Publishing: The signed customized image is published to Docker Hub and the +7. Publishing: The signed customized image is published to Docker Hub and the attestations are published to the Docker Scout registry. Docker handles the entire process automatically, so you don't need to manage @@ -172,14 +176,14 @@ customized images and managing any CVEs introduced by your OCI artifacts. The following diagram shows the customized image build flow: ```goat {class="text-sm"} -.-------------------. .-------------------. .-------------------. -| Docker monitors |----->| Trigger rebuild |----->| Fetch base | -| OCI artifacts | | | | DHI image | -'-------------------' '-------------------' '-------------------' - | - v -.-------------------. .-------------------. .-------------------. -| Publish to |<-----| Sign & generate |<-----| Apply | -| Docker Hub | | attestations | | customizations | -'-------------------' '-------------------' '-------------------' +.-------------------. .-------------------. .-------------------. .-------------------. +| Docker monitors |----->| Trigger rebuild |----->| Fetch base |----->| Apply | +| OCI artifacts | | | | DHI image | | customizations | +'-------------------' '-------------------' '-------------------' '-------------------' + | + v + .-------------------. .-------------------. .-------------------. + | Publish to |<-----| Sign & generate |<-----| Scanning | + | Docker Hub | | attestations | | | + '-------------------' '-------------------' '-------------------' ``` diff --git a/content/manuals/dhi/explore/feedback.md b/content/manuals/dhi/explore/feedback.md index c8463987660d..48fa91833689 100644 --- a/content/manuals/dhi/explore/feedback.md +++ b/content/manuals/dhi/explore/feedback.md @@ -3,7 +3,7 @@ title: Give feedback linkTitle: Feedback description: How to interact with the DHI team keywords: software supply chain security, feedback, bugs, discussion, questions -weight: 50 +weight: 999 aliases: - /dhi/about/feedback/ --- diff --git a/content/manuals/dhi/explore/malware-scanning.md b/content/manuals/dhi/explore/malware-scanning.md new file mode 100644 index 000000000000..60ab4c1b4743 --- /dev/null +++ b/content/manuals/dhi/explore/malware-scanning.md @@ -0,0 +1,94 @@ +--- +title: Malware scanning +description: Learn how Docker scans Docker Hardened Images for viruses and malware using ClamAV, and how to view and verify the scan attestation. +keywords: docker hardened images, malware scanning, virus scan, clamav, attestation, image security +weight: 50 +--- + +The Docker Hardened Image (DHI) pipeline scans for viruses and malware as part +of the build process. The scan results are embedded as a signed attestation, +which you can independently retrieve and verify. + +## How it works + +Docker uses [ClamAV](https://www.clamav.net/), an open source antivirus engine, +to scan every layer of each image. The scan runs automatically during the build +process and checks all files in the image, including files inside archives, for +known viruses and malware signatures. + +The scan results are published as a signed attestation attached to the image. +The attestation includes the full ClamAV scan report, including the number of +files scanned, the virus signature database version, and whether any infected +files were detected. + +## View the malware scan attestation + +You can retrieve the malware scan attestation using the Docker Scout CLI. + +1. Use the `docker scout attest get` command with the virus scan predicate type: + + ```console + $ docker scout attest get \ + --predicate-type https://scout.docker.com/virus/v0.1 \ + --predicate \ + dhi.io/: + ``` + + > [!NOTE] + > + > If the image exists locally on your device, you must prefix the image name + > with `registry://`. For example, use `registry://dhi.io/python` instead of + > `dhi.io/python`. + + For example: + + ```console + $ docker scout attest get \ + --predicate-type https://scout.docker.com/virus/v0.1 \ + --predicate \ + dhi.io/python:3.13 + ``` + + The output is a JSON object containing the scanner used and the base64-encoded + scan report: + + ```json + { + "scanner": { + "report": "", + "uri": "clamav/clamav:stable" + } + } + ``` + + Decoding the report shows the full ClamAV output, ending with a scan summary: + + ```text + ----------- SCAN SUMMARY ----------- + Known viruses: 3627833 + Engine version: 1.5.2 + Scanned directories: 4 + Scanned files: 21 + Infected files: 0 + Data scanned: 44.90 MiB + Data read: 23.88 MiB (ratio 1.88:1) + Time: 11.473 sec (0 m 11 s) + Start Date: 2026:04:12 02:36:19 + End Date: 2026:04:12 02:36:30 + ``` + +2. Verify the attestation signature. To ensure the attestation is authentic and + signed by Docker, run: + + ```console + $ docker scout attest get \ + --predicate-type https://scout.docker.com/virus/v0.1 \ + --verify \ + dhi.io/: --platform + ``` + + If the attestation is valid, Docker Scout confirms the signature and shows + the matching `cosign verify` command. + +To view other attestations, such as SBOMs or test results, see [Verify +an image](../how-to/verify.md).