mirror of
https://github.com/docker/docs.git
synced 2026-03-27 14:28:47 +07:00
dhi: add cis compliance concept (#23237)
<!--Delete sections as needed --> ## Description Added CIS Docker concept. Updated index for the concepts. https://deploy-preview-23237--docsdocker.netlify.app/dhi/core-concepts/cis/ https://deploy-preview-23237--docsdocker.netlify.app/dhi/core-concepts/#compliance-standards ## Related issues or tickets DHI-620 ## Reviews <!-- Notes for reviewers here --> <!-- List applicable reviews (optionally @tag reviewers) --> - [ ] Editorial review - [ ] Product review Signed-off-by: Craig <craig.osterhout@docker.com>
This commit is contained in:
Craig Osterhout
@@ -20,6 +20,8 @@ params:
|
||||
description: Learn how build provenance metadata helps trace the origin of Docker Hardened Images and support compliance with SLSA.
|
||||
icon: track_changes
|
||||
link: /dhi/core-concepts/provenance/
|
||||
|
||||
grid_concepts_compliance:
|
||||
- title: FIPS
|
||||
description: Learn how Docker Hardened Images support FIPS 140 by using validated cryptographic modules and providing signed attestations for compliance audits.
|
||||
icon: verified
|
||||
@@ -28,6 +30,10 @@ params:
|
||||
description: Learn how Docker Hardened Images provide STIG-hardened container images with verifiable security scan attestations for government and enterprise compliance requirements.
|
||||
icon: policy
|
||||
link: /dhi/core-concepts/stig/
|
||||
- title: CIS Benchmarks
|
||||
description: Learn how Docker Hardened Images help you meet Center for Internet Security (CIS) Docker Benchmark requirements for secure container configuration and deployment.
|
||||
icon: check_circle
|
||||
link: /dhi/core-concepts/cis/
|
||||
|
||||
grid_concepts_risk:
|
||||
- title: Common Vulnerabilities and Exposures (CVEs)
|
||||
@@ -84,10 +90,15 @@ and VEX.
|
||||
Start here if you want to understand how Docker Hardened Images support compliance,
|
||||
transparency, and security.
|
||||
|
||||
|
||||
## Security metadata and attestations
|
||||
|
||||
{{< grid items="grid_concepts_metadata" >}}
|
||||
|
||||
## Compliance standards
|
||||
|
||||
{{< grid items="grid_concepts_compliance" >}}
|
||||
|
||||
## Vulnerability and risk management
|
||||
|
||||
{{< grid items="grid_concepts_risk" >}}
|
||||
|
||||
53
content/manuals/dhi/core-concepts/cis.md
Normal file
53
content/manuals/dhi/core-concepts/cis.md
Normal file
@@ -0,0 +1,53 @@
|
||||
---
|
||||
title: CIS Benchmark
|
||||
description: Learn how Docker Hardened Images comply with the CIS Docker Benchmark to help organizations harden container images for secure deployments.
|
||||
keywords: docker cis benchmark, cis docker compliance, cis docker images, docker hardened images, secure container images
|
||||
---
|
||||
|
||||
## What is the CIS Docker Benchmark?
|
||||
|
||||
The [CIS Docker Benchmark](https://www.cisecurity.org/benchmark/docker) is part
|
||||
of the globally recognized CIS Benchmarks, developed by the [Center for
|
||||
Internet Security (CIS)](https://www.cisecurity.org/). It defines recommended secure
|
||||
configurations for all aspects of the Docker container ecosystem, including the
|
||||
container host, Docker daemon, container images, and the container runtime.
|
||||
|
||||
## Why CIS Benchmark compliance matters
|
||||
|
||||
Following the CIS Docker Benchmark helps organizations:
|
||||
|
||||
- Reduce security risk with widely recognized hardening guidance.
|
||||
- Meet regulatory or contractual requirements that reference CIS controls.
|
||||
- Standardize image and Dockerfile practices across teams.
|
||||
- Demonstrate audit readiness with configuration decisions grounded in a public standard.
|
||||
|
||||
## How Docker Hardened Images comply with the CIS Benchmark
|
||||
|
||||
Docker Hardened Images (DHIs) are designed with security in mind and are
|
||||
verified to be compliant with the relevant controls from the latest CIS
|
||||
Docker Benchmark (v1.8.0) for the scope that applies to container images and
|
||||
Dockerfile configuration.
|
||||
|
||||
CIS-compliant DHIs are compliant with all controls in Section 4, with the sole
|
||||
exception of the control requiring Docker Content Trust (DCT), which [Docker
|
||||
officially retired](https://www.docker.com/blog/retiring-docker-content-trust/).
|
||||
By starting from a CIS-compliant DHI, teams can adopt image-level best practices
|
||||
from the benchmark more quickly and confidently.
|
||||
|
||||
> [!NOTE]
|
||||
>
|
||||
> The CIS Docker Benchmark also includes controls for the host, daemon, and
|
||||
> runtime. CIS-compliant DHIs address only the image and Dockerfile scope (Section
|
||||
> 4). Overall compliance still depends on how you configure and operate the
|
||||
> broader environment.
|
||||
|
||||
## Identify CIS-compliant images
|
||||
|
||||
CIS-compliant images are labeled as **CIS** in the Docker Hardened Images catalog.
|
||||
To find them, [explore images](../how-to/explore.md) and look for the **CIS**
|
||||
designation on individual listings.
|
||||
|
||||
## Get the benchmark
|
||||
|
||||
Download the latest CIS Docker Benchmark directly from CIS:
|
||||
https://www.cisecurity.org/benchmark/docker
|
||||
Reference in New Issue
Block a user