Docker Hub Hardening Guide
Container registry security for access tokens, image signing, and repository controls
Overview
Docker Hub is the largest public container registry with millions of images. Research in 2024 found 10,456 images exposing secrets including 4,000 AI model API keys. The 2019 breach affected 190,000 accounts, and OAuth tokens for autobuilds remain perpetual attack vectors. TeamTNT attacks (2021-2022) used compromised accounts to distribute cryptomining malware with 150,000+ malicious image pulls.
Intended Audience
- Security engineers managing container security
- DevOps engineers configuring container registries
- GRC professionals assessing container supply chain
- Platform teams managing Docker infrastructure
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls (use private registry)
Table of Contents
1. Authentication & Access Controls
1.1 Enforce MFA and SSO
Profile Level: L1 (Baseline) NIST 800-53: IA-2(1)
Description
Require MFA for Docker Hub accounts, especially those with push access.
Rationale
Why This Matters:
- 2019 breach affected 190,000 accounts
- Compromised accounts distribute malicious images
- TeamTNT used compromised accounts for cryptomining malware
ClickOps Implementation
Step 1: Enable MFA
- Navigate to: Account Settings → Security
- Enable: Two-Factor Authentication
- Configure TOTP or security key
Step 2: Configure SSO (Business)
- Navigate to: Organization → Settings → Security
- Configure SAML SSO
- Enforce SSO for all members
1.2 Implement Access Tokens
Profile Level: L1 (Baseline) NIST 800-53: IA-5
Description
Use personal access tokens instead of passwords for automation.
ClickOps Implementation
Step 1: Create Scoped Tokens
- Navigate to: Account Settings → Security → Access Tokens
- Create tokens with minimum permissions:
- Read-only: For CI/CD pulls
- Read/Write: For builds (specific repos)
Step 2: Rotate Tokens
| Token Type | Rotation |
|---|---|
| CI/CD pull | Quarterly |
| Build/push | Monthly |
2. Image Security
2.1 Enable Docker Scout
Profile Level: L1 (Baseline) NIST 800-53: RA-5
Description
Use Docker Scout for vulnerability scanning.
Implementation
# Enable Scout for repository
docker scout recommendations myimage:latest
# Check for vulnerabilities
docker scout cves myimage:latest
2.2 Image Signing (Content Trust)
Profile Level: L2 (Hardened) NIST 800-53: SI-7
Description
Enable Docker Content Trust for image signing.
# Enable content trust
export DOCKER_CONTENT_TRUST=1
# Sign and push image
docker push myorg/myimage:latest
3. Repository Security
3.1 Private Repository Configuration
Profile Level: L1 (Baseline)
ClickOps Implementation
- Set repositories to Private by default
- Configure team access (not individual)
- Audit repository permissions quarterly
3.2 Prevent Secret Exposure
Profile Level: L1 (Baseline)
Implementation
- Scan images for secrets before push
- Use multi-stage builds
- Never include credentials in Dockerfiles
# Good: Use build arguments
ARG API_KEY
RUN --mount=type=secret,id=api_key ./configure
# Bad: Never do this
ENV API_KEY=secret123
4. Monitoring & Detection
4.1 Audit Logging
Profile Level: L1 (Baseline) NIST 800-53: AU-2
Detection Focus
-- Detect unusual push activity
SELECT user, repository, COUNT(*) as push_count
FROM docker_audit_log
WHERE action = 'push'
AND timestamp > NOW() - INTERVAL '1 hour'
GROUP BY user, repository
HAVING COUNT(*) > 10;
Appendix A: Recommendation for High-Security
For high-security environments, consider:
- Private container registry (Harbor, ECR, GCR, ACR)
- Air-gapped registry for production
- Image signing with Sigstore/Cosign
- Supply chain attestations (SLSA)
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-12-14 | 0.1.0 | draft | Initial Docker Hub hardening guide | Claude Code (Opus 4.5) |