Using Docker Hub Responsibly: 4 Security Best Practices

Docker Hub can be a boon to DevOps teams, but also presents a security risk. Learn 4 best practices that can help you use Docker Hub without compromising security.

January 26, 2022

What Is Docker Hub?

Docker Hub is a cloud-based repository that lets you create, test, store, and deploy Docker container images. It provides access to public open source image repositories and lets you create your own private repositories.

You can use Docker Hub to download containerized versions of many popular open source software. If you need a customized version of a software program or need to run your own proprietary code, you can create your own images and save them in a personal repository.

Docker Hub is a cloud-hosted version of the Docker Registry—an open source container repository which you can install on-premises. If you don’t want to use Docker Hub, you can deploy Docker Registry and use it to manage container images yourself.

Related content: Read our guide to Docker Registry

Docker Hub provides tremendous flexibility and convenience for DevOps teams but, at the same time, can introduce significant security risks. Images from public container repositories may contain vulnerabilities, and may have been tampered with by attackers. We’ll provide several best practices that can help you use Docker Hub securely.

In this article:

Docker Hub Features

Docker Hub provides the following key features:

  • Repositories—let you store and share container images with your team or others in the Docker community. Each repository can hold a large number of images, organized by tags.
  • Teams and Organizations—you can create an organization entity in Docker Hub and, within it, one or more teams that contain Docker Hub users. This lets you control access to your private repositories or specific images. 
  • Docker Official Images—these are curated Docker images that provide base operating system images, programming language runtimes, and open source data stores. Official Docker Images are reviewed and published by the Docker Library Project. They use Dockerfile best practices, provide clear documentation, and are regularly updated.
  • Docker Verified Publisher Program—this program allows software vendors to open official repositories on Docker Hub to distribute validated container images. Repositories with the Verified Publisher badge are created and signed by a trusted software vendor, reducing the chance of pulling malicious or vulnerable images.
  • Automated Builds—Docker Hub lets you automatically create images from source code in an external repository. You can define branches and tags in a Git repository indicating which code should be built into a Docker image and, when you push code, a webhook triggers a new build on Docker Hub. 
  • Webhooks—allow you to trigger an action in other services when an image is pushed to a Docker Hub repository. This could be used to do things like triggering software tests on all new images.

Why Use Docker Hub?

There are some notable advantages of using Docker Hub, including:

Trusted sources 

Docker Hub enables users to access various types of trusted images, which are reviewed for security and quality standards. These types include: 

  • Verified Publisher images—the software vendor is verified by Docker.
  • Docker Certified images—Docker verifies and checks the images against best practices and known vulnerabilities.
  • Official images—curated by Docker, helping developers to establish a strong foundation within their project, based upon a collection of essential base images and best practices. Learn more in our guide to Docker Official Images ›

Each type of image offers a different level of trust. You can reference these trust levels when choosing images to download or when publishing an image on Docker Hub. 

Free tier

Docker Hub’s free tier makes useful capabilities of container repositories accessible, providing: 

  • Unlimited public repositories 
  • One private repository with a maximum of three collaborators. 

You can leverage basic testing capabilities within the free tier, and get familiar with the functions and user experience of Docker Hub. However, the terms of service applicable to free tier accounts limit the number of pushes and pulls allowed, per six hours. This limitation makes the free tier unsuitable for most modern development and DevOps workflows.

Security features

Docker Hub allows all accounts to benefit from local image vulnerability scans. However, only team accounts can access audit-logs and use multifactor authentication (MFA) to secure their repositories. 

CI/CD features

Docker Hub supports Bitbucket and GitHub integrations, as well as automated tests and build triggers. It also lets you use webhooks to automate development pipelines and use your continuous integration/continuous delivery (CI/CD) pipelines.

Despite the above advantages, Docker Hub does not suit all scenarios which many development teams find useful or requisite, including: 

  • Storing images on-premises to reduce latency or for data sovereignty reasons. 
  • Caching images locally to reduce latency or bandwidth consumption. 

4 Best Practices for Docker Hub Security

Here are a few best practices you can use to mitigate container image security risks with Docker Hub.

To get a complete overview of Docker security concerns, read our complete guide to Docker security

Choose the Right Base Image

Docker Hub includes over 8 million repositories from which you can choose a base image that meets your needs. Here are two best practices to help you choose the right base image for your project:

  • Use a trusted source—Docker Hub provides several certificates that categorize images according to trust levels. Official images, curated by Docker, offer the highest level of trust. Alternatively, you can use Docker Certified images that are checked and verified against Docker’s standards or Verified Publisher images. 
  • Choose the smallest image—the base image must meet the requirements set for your use case. However, you should look for the smallest base image that matches your requirements. A small base image offers portability and fast downloads, reduces image size, and can minimize the risk of vulnerabilities by reducing the number of associated dependencies which may, themselves, be vulnerable.

Use Multi-Stage Builds

Multi-stage builds aim to create an optimized Dockerfile that is easy to read and maintain. At each stage of the multi-stage build, you can use a different image that contains the artifacts needed at that stage of the development process.

You can use multiple FROM statements in your Dockerfile, and each FROM can have a different base image. You can then copy artifacts, such as compiled programs, from one stage to another, ensuring their availability in the final container image.

This method not only greatly reduces complexity, but also avoids including development tools in production images, reducing their attack surface. It allows you to be selective about the artifacts used in production, without automatically inheriting vulnerabilities from dependent base images.

Scan Images During Development

Whenever you create an image from a Dockerfile and rebuild the image, you can introduce new vulnerabilities to your system. Scanning Docker images during the development process should be mandatory, ensuring that you discover vulnerabilities early in the development process. 

Images should, however, be scanned at all stages of the development cycle, since vulnerable dependencies can be resolved into the project during build. With this in mind, consider configuring automatic scanning during the build process before pushing images to Docker Hub (or another registry) and, finally, before pushing them to production.

Scan Images in Production

Proactively and consistently analyzing your container images is critical to discovering new vulnerabilities. Failure to do so could put your production system at risk as new vulnerabilities and exploits are published. Remember that even if an image did not have vulnerabilities at the time of the last scan, as new vulnerabilities are discovered, an image’s security risk posture can change as well. 

Maintain a software bill of materials (SBOM) for each image and ensure that you are alerted to new vulnerabilities impacting previously scanned images and BOMs. Fix the detected vulnerabilities in the images and re-deploy running containers based on the updated secure image.

Docker Hub Security with Aqua

Aqua Security provides solutions and tools to help enterprises and developers to secure container images and other cloud native artifacts, without changing established workflows. Aqua Trivy is an open source vulnerability scanner that makes container image security an accessible reality. You may leverage Aqua Trivy from many open source repositories, including Docker Hub. Aqua extends these capabilities with its commercially available cloud native application protection platform (CNAPP), with automated scanning and detection of new images as they’re checked into repositories. You may continue on learn more about Docker security best practices, or review Aqua’s solutions for Docker container image vulnerability scanning.