Docker Security Team

Securing the Enterprise Software Supply Chain Using Docker

At Docker we have spent a lot of time discussing runtime security and isolation as a core part of the container architecture. However that is just one aspect of the total software pipeline. Instead of a one time flag or setting, we need to approach security as something that occurs at every stage of the application lifecycle. Organizations must apply security as a core part of the software supply chain where people, code and infrastructure are constantly moving, changing and interacting with each other. If you consider a physical product like a phone, it’s not enough to think about the security of the end product. Beyond the decision of what kind of theft resistant packaging to use, you might want to know  where the materials are sourced from and how they are assembled, packaged, transported. Additionally it is important to ensure Continue reading…

Online meetup recap: A new model for image distribution

  Continuing our Docker Online meetup series centered on the Docker 1.6 release, we are pleased to share the video recording from Tuesday’s webinar with Stephen Day, distribution tech lead at Docker. In this session, Stephen first gives a little history around the first version of the Docker Registry API V1 before introducing the design of Docker Registry HTTP API V2 and implementation of Registry 2.0. Stephen ends the talk with a preview of the future of Docker image distribution. Check out the video recording and the slides below for more details!

Scott Johnston

Docker 1.3: signed images, process injection, security options, Mac shared directories

Today we’re pleased to announce the availability of Docker Engine 1.3.  With over 750 commits from 45 contributors, this release includes new capabilities as well as lots of quality enhancements.  You can get more details in the release notes, but we’ll highlight four of the new features here. Tech Preview: Digital Signature Verification First up, in this release, the Docker Engine will now automatically verify the provenance and integrity of all Official Repos using digital signatures. Official Repos are Docker images curated and optimized by the Docker community to be the best building blocks for assembling distributed applications.  A valid signature provides an added level of trust by indicating that the Official Repo image has not been tampered with. With Official Repos representing one out of every five downloads from the Docker Hub Registry, this cryptographic verification will provide users with an additional assurance of Continue reading…