Docker Community Forums

Share and learn in the Docker community.

Access to public Docker Hub a security issue?

We are evaluating Docker in our organization, we already have a private image repository for our own images.
One question that have been raised if we should allow access to public Docker Hub for images that we do not manage ourselves. (any middleware such as Rabbit, Kafka, Rancher etc).

Where can I find information on this topic?
is it a no-no to access public docker hub from our own environments.
and if so, should we make copies of the images we want to use and re-package them?

My general feeling on this is that there is a spectrum from “most safe” to “least safe”. On the “most safe” side of the spectrum are things like official images (ubuntu, alpine, java, etc.) which are provided either by Docker, Inc. or by the 3rd parties themselves and are meticulously scanned and evaluated, in addition to being frequently used (and consequently, “battle hardened”). Then there are images that reputable organizations such as Rancher publish to make their own tools more available, which are not “official” Docker library images but are still very high quality.

At the other end of the spectrum are “unsafe” images put together and pushed to the Hub by essentially random users. I’d highly suggest against using any of these as they are of wildly varying quality and in the worst case might even contain malicious code.

At the end of the day, it’s a judgment call for your organization, my suggestion would be to maintain an image “whitelist” of base images that your organization approves. The official images are frequently updated with the latest security patches etc. so using those would save you the pain of “forking” them internally and trying to keep everything up to date as far as security and patch updates goes.