This page explains how to set up and enable Docker Security Scanning on an existing installation of Mirantis Secure Registry.
These instructions assume that you have already installed Mirantis Secure Registry, and have access to an account on the MSR instance with administrator access.
Before you begin, make sure that you or your organization has purchased a MSR license that includes Docker Security Scanning, and that your Docker ID can access and download this license from the Docker Hub.
If you are using a license associated with an individual account, no
additional action is needed. If you are using a license associated with
an organization account, you may need to make sure your Docker ID is a
member of the Owners
team. Only Owners
team members can download
license files for an Organization.
If you will be allowing the Security Scanning database to update itself
automatically, make sure that the server hosting your MSR instance can
access https://dss-cve-updates.docker.com/
on the standard https
port 443.
If your MSR instance already has a license that includes Security Scanning, skip this section and proceed to ** Enable MSR security scanning**.
Tip
To check if your existing MSR license includes scanning, navigate to the MSR Settings page, and click Security. If an “Enable scanning” toggle appears, the license includes scanning.
If your current MSR license doesn’t include scanning, you must first download the new license.
Log in to the Docker Hub using a Docker ID with access to the license you need.
In the top right corner, click your user account icon, and select My Content.
Locate Docker Enterprise Edition in the content list, and click Setup.
Click License Key to download the license.
Next, install the new license on the MSR instance.
To enable security scanning in MSR:
Log in to your MSR instance with an administrator account.
Click Settings in the left navigation.
Click the Security tab.
Click the Enable scanning toggle so that it turns blue and says “on”.
Next, provide a security database for the scanner. Security scanning will not function until MSR has a security database to use.
By default, security scanning is enabled in Online mode. In this
mode, MSR attempts to download a security database from a Docker
server. If your installation cannot access
https://dss-cve-updates.docker.com/
you must manually upload a
.tar
file containing the security database.
Online
mode, the MSR instance will contact a
Docker server, download the latest vulnerability database, and
install it. Scanning can begin once this process completes.Offline
mode, use the instructions in Update
scanning database - offline mode to upload an initial security database.By default when Security Scanning is enabled, new repositories will
automatically scan on docker push
. If you had existing repositories
before you enabled security scanning, you might want to change
repository scanning behavior.
Two modes are available when Security Scanning is enabled:
Scan on push & Scan manually
: the image is re-scanned on each
docker push
to the repository, and whenever a user with write
access clicks the Start Scan links or Scan button.Scan manually
: the image is scanned only when a user with
write
access clicks the Start Scan links or Scan button.By default, new repositories are set to Scan on push & Scan manually
, but
you can change this setting during repository creation.
Any repositories that existed before scanning was enabled are set to
Scan manually
mode by default. If these repositories are still in
use, you can change this setting from each repository’s Settings
page.
Note
To change an individual repository’s scanning mode, you must have write
or admin
access to the repo.
To change an individual repository’s scanning mode:
Docker Security Scanning indexes the components in your MSR images and compares them against a known CVE database. When new vulnerabilities are reported, Docker Security Scanning matches the components in new CVE reports to the indexed components in your images, and quickly generates an updated report.
Users with administrator access to MSR can check when the CVE database was last updated from the Security tab in the MSR Settings pages.
By default Docker Security Scanning checks automatically for updates to the vulnerability database, and downloads them when available. If your installation does not have access to the public internet, use the Offline mode instructions below.
To ensure that MSR can access these updates, make sure that the host can
reach https://dss-cve-updates.docker.com/
on port 443 using https.
MSR checks for new CVE database updates at 3:00 AM UTC every day. If an update is found it is downloaded and applied without interrupting any scans in progress. Once the update is complete, the security scanning system looks for new vulnerabilities in the indexed components.
To set the update mode to Online:
Your choice is saved automatically.
Tip
MSR also checks for CVE database updates when scanning is first enabled, and when you switch update modes. If you need to check for a CVE database update immediately, you can briefly switch modes from online to offline and back again.
To update the CVE database for your MSR instance when it cannot contact
the update server, you download and install a .tar
file that
contains the database updates. To download the file:
Log in to Docker Hub.
If you are a member of an Organization managing licenses using Docker
Hub, make sure your account is a member of the Owners
team. Only
Owners can view and manage licenses and other entitlements for
Organizations from Docker Hub.
In the top right corner, click your user account icon, and select My Content.
If necessary, select an organization account from the Accounts menu at the upper right.
Locate your Docker EE Advanced subscription or trial.
Click Setup button.
Click Download CVE Vulnerability Database link to download the database file.
To manually update the MSR CVE database from a .tar
file:
.tar
file that you received, and click
Open.MSR installs the new CVE database, and begins checking already indexed images for components that match new or updated vulnerabilities.
Tip
The Upload button is unavailable while MSR applies CVE database updates.
To change the update mode:
Your choice is saved automatically.