Skip to content

dhi: add malware scan info #24729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
craig-osterhout merged 2 commits into from
Apr 15, 2026
Merged

dhi: add malware scan info #24729

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cc0990f
dhi: add malware scan info
craig-osterhout Apr 14, 2026
2cbe02e
fix nav and update wording
craig-osterhout Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions content/manuals/dhi/core-concepts/attestations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ For more details, see [Verify image attestations](../how-to/verify.md#verify-ima
| Scout SBOM | An SBOM generated and signed by Docker Scout, including additional Docker-specific metadata. |
| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys. |
| Tests | A record of automated tests run against the image, such as functional checks or validation scripts. |
| Virus scan | Results of antivirus scans performed on the image layers. |
| Virus scan | Results of antivirus scans performed on the image layers. For details, see [Malware scanning](../explore/malware-scanning.md). |
| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data. |
| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the image was built, including build tool, parameters, and source. |
| SLSA verification summary | A summary attestation indicating the image's compliance with SLSA requirements. |
Expand Down Expand Up @@ -130,7 +130,7 @@ For more details, see [Verify Helm chart attestations](../how-to/verify.md#verif
| Scout SBOM | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata. |
| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package. |
| Tests | A record of automated tests run against the chart to validate functionality and compatibility with referenced images. |
| Virus scan | Results of antivirus scans performed on the chart package. |
| Virus scan | Results of antivirus scans performed on the chart package. For details, see [Malware scanning](../explore/malware-scanning.md). |
| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images. |
| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials. |
| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references. |
Expand Down
4 changes: 4 additions & 0 deletions content/manuals/dhi/explore/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ params:
description: See how Docker Hardened Images are automatically tested for standards compliance, functionality, and security.
icon: science
link: /dhi/explore/test/
- title: Malware scanning
description: Learn how Docker scans Docker Hardened Images for viruses and malware, and how to view and verify the scan attestation.
icon: bug_report
link: /dhi/explore/malware-scanning/
- title: Responsibility overview
description: Understand Docker's role and your responsibilities when using Docker Hardened Images as part of your secure software supply chain.
icon: group
Expand Down
36 changes: 20 additions & 16 deletions content/manuals/dhi/explore/build-process.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,8 +118,10 @@ Each Docker Hardened Image is built through an automated pipeline:
projects, improving the code for the entire community. When fixes are accepted
upstream, the DHI build pipeline applies the patch immediately to protect
customers while the fix moves through the upstream release process.
5. Testing: Images undergo comprehensive testing for compatibility and
functionality.
5. Testing and scanning: Images undergo comprehensive
[testing](test.md) for compatibility and functionality, and are
[scanned for malware](malware-scanning.md), secrets, and
vulnerabilities.
6. Signing and attestations: Docker signs each image and generates
attestations (SBOMs, VEX documents, build provenance).
7. Publishing: The signed image is published to the DHI registry and the
Expand All @@ -144,8 +146,8 @@ The following diagram shows the base image build flow:
|
v
.-------------------. .-------------------. .-------------------. .-------------------.
| Cascade rebuilds |<-----| Publish to |<-----| Sign & generate |<-----| Testing |
| (if needed) | | DHI registry | | attestations | | |
| Cascade rebuilds |<-----| Publish to |<-----| Sign & generate |<-----| Testing & |
| (if needed) | | DHI registry | | attestations | | scanning |
'-------------------' '-------------------' '-------------------' '-------------------'
```

Expand All @@ -160,9 +162,11 @@ When you customize a DHI image with DHI Select or DHI Enterprise, the build proc
DHI image is updated, an automated rebuild starts.
3. Fetch base image: The latest base DHI image is fetched.
4. Apply customizations: Your OCI artifacts are applied to the base image.
5. Signing and attestations: Docker signs the customized image and generates
5. Scanning: The customized image is [scanned for
malware](malware-scanning.md), secrets, and vulnerabilities.
6. Signing and attestations: Docker signs the customized image and generates
attestations (SBOMs, VEX documents, build provenance).
6. Publishing: The signed customized image is published to Docker Hub and the
7. Publishing: The signed customized image is published to Docker Hub and the
attestations are published to the Docker Scout registry.

Docker handles the entire process automatically, so you don't need to manage
Expand All @@ -172,14 +176,14 @@ customized images and managing any CVEs introduced by your OCI artifacts.
The following diagram shows the customized image build flow:

```goat {class="text-sm"}
.-------------------. .-------------------. .-------------------.
| Docker monitors |----->| Trigger rebuild |----->| Fetch base |
| OCI artifacts | | | | DHI image |
'-------------------' '-------------------' '-------------------'
|
v
.-------------------. .-------------------. .-------------------.
| Publish to |<-----| Sign & generate |<-----| Apply |
| Docker Hub | | attestations | | customizations |
'-------------------' '-------------------' '-------------------'
.-------------------. .-------------------. .-------------------. .-------------------.
| Docker monitors |----->| Trigger rebuild |----->| Fetch base |----->| Apply |
| OCI artifacts | | | | DHI image | | customizations |
'-------------------' '-------------------' '-------------------' '-------------------'
|
v
.-------------------. .-------------------. .-------------------.
| Publish to |<-----| Sign & generate |<-----| Scanning |
| Docker Hub | | attestations | | |
'-------------------' '-------------------' '-------------------'
```
2 changes: 1 addition & 1 deletion content/manuals/dhi/explore/feedback.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Give feedback
linkTitle: Feedback
description: How to interact with the DHI team
keywords: software supply chain security, feedback, bugs, discussion, questions
weight: 50
weight: 999
Copy link
Copy Markdown
Contributor

@dvdksn dvdksn Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can also unset weight to let it sink to the bottom - pages with any weight are always ranked higher than weightless pages.

aliases:
- /dhi/about/feedback/
---
Expand Down
94 changes: 94 additions & 0 deletions content/manuals/dhi/explore/malware-scanning.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
---
title: Malware scanning
description: Learn how Docker scans Docker Hardened Images for viruses and malware using ClamAV, and how to view and verify the scan attestation.
keywords: docker hardened images, malware scanning, virus scan, clamav, attestation, image security
weight: 50
---

The Docker Hardened Image (DHI) pipeline scans for viruses and malware as part
of the build process. The scan results are embedded as a signed attestation,
which you can independently retrieve and verify.

## How it works

Docker uses [ClamAV](https://www.clamav.net/), an open source antivirus engine,
to scan every layer of each image. The scan runs automatically during the build
process and checks all files in the image, including files inside archives, for
known viruses and malware signatures.

The scan results are published as a signed attestation attached to the image.
The attestation includes the full ClamAV scan report, including the number of
files scanned, the virus signature database version, and whether any infected
files were detected.

## View the malware scan attestation

You can retrieve the malware scan attestation using the Docker Scout CLI.

1. Use the `docker scout attest get` command with the virus scan predicate type:

```console
$ docker scout attest get \
--predicate-type https://scout.docker.com/virus/v0.1 \
--predicate \
dhi.io/<image>:<tag>
```

> [!NOTE]
>
> If the image exists locally on your device, you must prefix the image name
> with `registry://`. For example, use `registry://dhi.io/python` instead of
> `dhi.io/python`.

For example:

```console
$ docker scout attest get \
--predicate-type https://scout.docker.com/virus/v0.1 \
--predicate \
dhi.io/python:3.13
```

The output is a JSON object containing the scanner used and the base64-encoded
scan report:

```json
{
"scanner": {
"report": "<base64-encoded ClamAV report>",
"uri": "clamav/clamav:stable"
}
}
```

Decoding the report shows the full ClamAV output, ending with a scan summary:

```text
----------- SCAN SUMMARY -----------
Known viruses: 3627833
Engine version: 1.5.2
Scanned directories: 4
Scanned files: 21
Infected files: 0
Data scanned: 44.90 MiB
Data read: 23.88 MiB (ratio 1.88:1)
Time: 11.473 sec (0 m 11 s)
Start Date: 2026:04:12 02:36:19
End Date: 2026:04:12 02:36:30
```

2. Verify the attestation signature. To ensure the attestation is authentic and
signed by Docker, run:

```console
$ docker scout attest get \
--predicate-type https://scout.docker.com/virus/v0.1 \
--verify \
dhi.io/<image>:<tag> --platform <platform>
```

If the attestation is valid, Docker Scout confirms the signature and shows
the matching `cosign verify` command.

To view other attestations, such as SBOMs or test results, see [Verify
an image](../how-to/verify.md).