Details
Content trust is disabled by default. You should enable it.
Rationale:
Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the integrity and publisher of specific image tags. This ensures provenance of container images.
Solution
To enable content trust in a bash shell, enter the following command:
export DOCKER_CONTENT_TRUST=1
Alternatively, set this environment variable in your profile file so that content trust in enabled on every login.
Impact:
In an environment where DOCKER_CONTENT_TRUST is set, you are required to follow trust procedures while working with images – build, create, pull, push and run. You can use the –disable-content-trust flag to run individual operations on tagged images without content trust on an as-needed basis but that defeats the purpose of enabling content trust and hence, should be avoided wherever possible.
Note: Content trust is currently only available for users of the public Docker Hub. It is currently not available for the Docker Trusted Registry or for private registries.
Default Value:
By default, content trust is disabled.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.