Mario Ponticello

Understanding Official Repos on Docker Hub

Mario Ponticello

What are Official Repositories?

Official Repositories (“Repos”) are a curated set of image repositories that contain content packaged and maintained directly by Docker, our upstream partners, and the broader community. The repository itself contains the same software you can get directly from the upstream project, but has been packaged as a Docker repository for distribution on Docker Hub. Currently, there are 74 Official Repos on Docker Hub, and these images have been pulled over 53 million times to build their applications.

How Official Repos work: Content parity and Official Repo maintenance

Over 95% of Official Repos are at parity with their upstream projects, meaning the Official Repo tags correspond with snapshots of specific releases. The approval process behind Official Repos includes an extensive set of manual and automated tests to check the image for vulnerabilities—beyond the public CVEs associated with release versions—and report them to upstream partners. Regardless of who discovers a vulnerability, the upstream partner is notified and we work together to release a new Official Repo tag that reflects the patch released by the partner. Typically, these new tags are released within 24 hours of major vulnerability updates—including those to address named vulnerabilities like Heartbleed.

If an upstream release persists in having a minor vulnerability, its corresponding Official Repo tag will contain the same vulnerability. Parity between the image content and the upstream release is critical in avoiding forked projects and fragmenting the user base.

Shortcomings of basic vulnerability scanning techniques

Scanning vulnerabilities in any system is a notoriously difficult problem. A basic approach is to check version numbers against a database of known vulnerabilities, but this leads to misleading results because of the wide variety of version numbering practices.

For example, Debian handles security updates in a way that does not necessarily change the release version number. They generally backport only the security fixes, so 1.0.2-1 becomes 1.0.2-2, instead of 1.0.3. This means that if you run a mysoftware --version command, it will still report 1.0.2 (which might register as containing a CVE), even though a fix has been applied.

Because this pattern varies from suite to suite, evaluations of version numbers alone is insufficient and we recommend also checking against information like “known versions” and the exact repository from which the package originated.

Pulling images from Official Repos

When users pull Official Repos, they receive the latest tag by default. This is a version of the repo that reflects the latest submitted stable release of the upstream project. Each repo’s page on Docker Hub also lists a collection of supported tags—these are versions of the repo that are still actively maintained. Repo maintainers release new tags when older ones fall out of parity with upstream projects or are found to contain known vulnerabilities.

Docker security policies and practices

Docker has a responsible disclosure security policy. As a broader Docker community, we work together in identifying and addressing issues within the Docker Platform and content hosted on Docker Hub. We aim to address vulnerabilities as quickly as possible and work with upstream partners to release updated, secure Official Repos tags. Ensuring security and quality of Dockerized content is just one step in securing your application environment.

Docker aims to enable users to build, ship and run secure applications anywhere. To do that, we are taking a holistic approach that includes platform features, best practices content and benchmarking tools. To better understand the security characteristics of containers, download the Docker white paper Introduction to Container Security. You can also more securely configure your Docker environment by running the Docker Bench. It contains an automated assessment tool that evaluates a Docker host using the guidelines outlined in the Center for Internet Security Docker 1.6 Benchmark.




Learn More about Docker



Continue reading...

Be the first to write a comment.

Leave a Reply