diff --git a/datacenter/dtr/2.2/guides/images/scanning-images-1.png b/datacenter/dtr/2.2/guides/images/scanning-images-1.png new file mode 100644 index 00000000000..e47437051c1 Binary files /dev/null and b/datacenter/dtr/2.2/guides/images/scanning-images-1.png differ diff --git a/datacenter/dtr/2.2/guides/images/scanning-images-2.png b/datacenter/dtr/2.2/guides/images/scanning-images-2.png new file mode 100644 index 00000000000..827ec79c360 Binary files /dev/null and b/datacenter/dtr/2.2/guides/images/scanning-images-2.png differ diff --git a/datacenter/dtr/2.2/guides/images/scanning-images-3.png b/datacenter/dtr/2.2/guides/images/scanning-images-3.png new file mode 100644 index 00000000000..1020010c09b Binary files /dev/null and b/datacenter/dtr/2.2/guides/images/scanning-images-3.png differ diff --git a/datacenter/dtr/2.2/guides/images/scanning-images-4.png b/datacenter/dtr/2.2/guides/images/scanning-images-4.png new file mode 100644 index 00000000000..97bc9ad1f57 Binary files /dev/null and b/datacenter/dtr/2.2/guides/images/scanning-images-4.png differ diff --git a/datacenter/dtr/2.2/guides/images/scanning-images-5.png b/datacenter/dtr/2.2/guides/images/scanning-images-5.png new file mode 100644 index 00000000000..2092e07db7d Binary files /dev/null and b/datacenter/dtr/2.2/guides/images/scanning-images-5.png differ diff --git a/datacenter/dtr/2.2/guides/images/scanning-images-6.png b/datacenter/dtr/2.2/guides/images/scanning-images-6.png new file mode 100644 index 00000000000..b020182b841 Binary files /dev/null and b/datacenter/dtr/2.2/guides/images/scanning-images-6.png differ diff --git a/datacenter/dtr/2.2/guides/user/manage-images/scan-images-for-vulnerabilities.md b/datacenter/dtr/2.2/guides/user/manage-images/scan-images-for-vulnerabilities.md index 11bb8eb14f1..a878d37dd3c 100644 --- a/datacenter/dtr/2.2/guides/user/manage-images/scan-images-for-vulnerabilities.md +++ b/datacenter/dtr/2.2/guides/user/manage-images/scan-images-for-vulnerabilities.md @@ -13,7 +13,8 @@ Scanning. The results of these scans are reported for each image tag. Docker Security Scanning is available as an add-on to Docker Trusted Registry, and an administrator configures it for your DTR instance. If you do not see security scan results available on your repositories, your organization may not -have purchased the Security Scanning feature or it may be disabled. +have purchased the Security Scanning feature or it may be disabled. See [Set up +Security Scanning in DTR](../../admin/configure/set-up-vulnerability-scans.md) for more details. > **Tip**: Only users with write access to a repository can manually start a scan. Users with read-only access can view the scan results, but cannot start @@ -21,19 +22,27 @@ a new scan. ## The Docker Security Scan process -Scans run either on demand when a user clicks the **Start Scan** links or -**Scan** button, or automatically on any `docker push` to the repository. +Scans run either on demand when a user clicks the **Start a Scan** links or +**Scan** button (see [Manual scanning](#manual-scanning) below), or automatically +on any `docker push` to the repository. First the scanner performs a binary scan on each layer of the image, identifies -the software components in each layer, and indexes the SHA of each component. A -binary scan evaluates the components on a bit-by-bit level, so vulnerable -components are discovered no matter what they're named or statically-linked. +the software components in each layer, and indexes the SHA of each component in a +bill-of-materials. A binary scan evaluates the components on a bit-by-bit level, +so vulnerable components are discovered even if they are statically-linked or +under a different name. + +[//]: # (Placeholder for DSS workflow. @sarahpark is working on the diagram.) The scan then compares the SHA of each component against the US National -Vulnerability Database that is installed on your DTR instance. when +Vulnerability Database that is installed on your DTR instance. When this database is updated, DTR reviews the indexed components for newly discovered vulnerabilities. +If you have subscribed to a webhook (see [Manage webhooks](../create-and-manage-webhooks.md)) +for scan completed/scan failed, then you will received the results of the scan +as a json to the specified endpoint. + Most scans complete within an hour, however larger repositories may take longer to scan depending on your system resources. @@ -58,8 +67,15 @@ To start a security scan: 2. Click the **Images** tab. 3. Locate the image tag that you want to scan. 4. In the **Vulnerabilities** column, click **Start a scan**. +![](../../images/scanning-images-1.png){: .with-border} + +You can also start a scan from the image details screen: -DTR begins the scanning process. You may need to refresh the page to see the +1. Click **View Details** on the desired image tag. +2. Click **Scan** on the right-hand side, above the layers table. +![](../../images/scanning-images-2.png){: .with-border} + +DTR begins the scanning process. You will need to refresh the page to see the results once the scan is complete. ## Change the scanning mode @@ -77,6 +93,7 @@ To change the repository scanning mode: 1. Navigate to the repository, and click the **Settings** tab. 2. Scroll down to the **Image scanning** section. 3. Select the desired scanning mode. +![](../../images/security-scanning-setup-5.png){: .with-border} ## View security scan results @@ -85,6 +102,7 @@ Once DTR has run a security scan for an image, you can view the results. The **Images** tab for each repository includes a summary of the most recent scan results for each image. +![](../../images/scanning-images-4.png){: .with-border} - A green shield icon with a check mark indicates that the scan did not find any vulnerabilities. - A red or orange shield icon indicates that vulnerabilities were found, and @@ -113,6 +131,8 @@ by the Dockerfile. > **Tip**: The layers view can be long, so be sure to scroll down if you don't immediately see the reported vulnerabilities. + ![](../../images/scanning-images-5.png){: .with-border} + - The **Components** view lists the individual component libraries indexed by the scanning system, in order of severity and number of vulnerabilities found, most vulnerable first. @@ -123,6 +143,7 @@ most vulnerable first. the scan report provides details on each one. The component details also include the license type used by the component, and the filepath to the component in the image. +![](../../images/scanning-images-6.png){: .with-border} ### What do I do next?