Information
You should ensure that container images you use are either written from scratch or are based on another established and trusted base image downloaded over a secure channel.
Rationale:
Official repositories contain Docker images curated and optimized by the Docker community or by their vendor. There is no guarantee that these images are safe and do not contain security vulnerabilities or malicious code. Caution should therefore be exercised when obtaining container images from Docker and third parties and running these images should be reviewed in line with organizational security policy.
Impact:
None.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
The following procedures are useful for establishing trust for a specific image.
Configure and use Docker Content trust.
View the history of each Docker image to evaluate its risk, dependent on the sensitivity of the application you wish to deploy using it.
Scan Docker images for vulnerabilities at regular intervals.
Default Value:
Not Applicable.