-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #120 from MicrosoftDocs/main
9/4/2024 OOB Publishing
- Loading branch information
Showing
19 changed files
with
270 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
107 changes: 107 additions & 0 deletions
107
articles/defender-for-cloud/agentless-vulnerability-assessment-docker-hub.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| --- | ||
| title: Vulnerability assessments for Docker Hub external registry with Microsoft Defender Vulnerability Management | ||
| description: Configure vulnerability assessments for Docker Hub as an external registry with Microsoft Defender Vulnerability Management. | ||
| ms.author: a-ehorwitz | ||
| ms.date: 09/01/2024 | ||
| ms.topic: how-to | ||
| --- | ||
|
|
||
| # Vulnerability assessments for Docker Hub external registry with Microsoft Defender Vulnerability Management | ||
|
|
||
| A key aspect of Defender for Containers' security solution is to provide container image vulnerability assessment throughout its lifecycle, from code development to cloud deployment. | ||
|
|
||
| To achieve this goal, comprehensive coverage is needed for all stages of the container image life cycle, including container images from external registries. Docker Hub, widely used by enterprises, SMBs, and the open-source community, is supported in this feature. Customers using Docker Hub can use Defender for Containers for inventory discovery, security posture evaluation, and vulnerability assessment - enjoying the same security capabilities available for cloud-native registries like ACR, ECR, and GCR. | ||
|
|
||
| ## Functionality | ||
|
|
||
| Inventory – identify and list all available container images within the Docker Hub organization | ||
|
|
||
| Vulnerability Assessment– Regularly scan the Docker Hub organization account for supported container images, identify vulnerabilities, and provide recommendations for issues to be addressed. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| To use Microsoft Defender for Containers with your organizational Docker Hub accounts, you must own a Docker Hub organization account and have admin permission to manage users. For more information, see [How to set up Docker Hub as an external registry](defender-for-containers-enable-external-registry-for-docker-hub.md) | ||
|
|
||
| Enable Microsoft Defender for Containers or Defender for CSPM for at least one subscription in Microsoft Defender for Cloud | ||
|
|
||
| ## Onboarding the Docker Hub environment | ||
|
|
||
| Individuals who have security administrator privileges in Microsoft Defender for Cloud can add a new Docker Hub environment, provided they have the necessary permissions on the "Environment Settings" page. | ||
|
|
||
| :::image type="content" source="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-environments-panel-docker-hub.png" lightbox="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-environments-panel-docker-hub.png" alt-text="Screenshot of Defender for Cloud environments panel."::: | ||
|
|
||
| Each environment corresponds to a distinct Docker Hub organization. The onboarding interface for adding a new external registry allows the user to designate the type of container registry as a new environment classified as "Docker Hub". | ||
|
|
||
| :::image type="content" source="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-add-environment-docker-hub.png" lightbox="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-add-environment-docker-hub.png" alt-text="Screenshot of the Add Environment button. "::: | ||
|
|
||
| **The environment wizard assists with the onboarding process:** | ||
|
|
||
| 1. Connector Details | ||
|
|
||
| :::image type="content" source="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-docker-hub-connector-details.png" lightbox="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-docker-hub-connector-details.png" alt-text="Screenshot of the Docker Hub connector details panel."::: | ||
|
|
||
| Connector name: Specify a unique connector name. | ||
|
|
||
| Location: Specify the geographic location where Defender for Cloud stores the data associated with this connector. | ||
|
|
||
| Subscription: The hosting subscription that defines the RBAC scope, and billing entity for the Docker Hub environment. | ||
|
|
||
| Resource group: for RBAC purposes | ||
|
|
||
| > [!NOTE] | ||
| > Only one subscription can be linked to a Docker Hub environment instance. However, container images from this instance can be deployed to multiple environments protected by Defender for Cloud, outside the boundaries of the associated subscription. | ||
| Scanning intervals: Set the container registry re-scan interval with hourly precision. | ||
|
|
||
| 2. Select Plans | ||
|
|
||
| Multiple plans exist for these kinds of environments: | ||
|
|
||
| :::image type="content" source="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-docker-hub-connector-select-plan.png" lightbox="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-docker-hub-connector-select-plan.png" alt-text="Screenshot of the Docker Hub connector select plan panel."::: | ||
|
|
||
| - Foundational CSPM: Basic plan available for all customers, provides inventory capabilities only. | ||
|
|
||
| - Containers: Offers inventory and vulnerability assessment features. | ||
|
|
||
| - Defender CSPM: Offers inventory and vulnerability assessment features, plus extra capabilities like attack path analysis and code-to-cloud mapping. | ||
|
|
||
| For information regarding the plan pricing review [Microsoft Defender for Cloud pricing](https://azure.microsoft.com/pricing/details/defender-for-cloud/). | ||
|
|
||
| Ensure your Docker Hub environment plans are in sync with your cloud environment plans and share the same subscription to maximize coverage. | ||
|
|
||
| 3. Configure Access | ||
|
|
||
| To maintain a continuous and secure link between Defender for Cloud and your Docker Hub organization, ensure you have a dedicated user with an organization email address. Each Docker Hub connector corresponds to one Docker Hub organization. Therefore onboard a separate Docker Hub environment connector in Defender for Cloud for each Docker Hub organization you manage to achieve optimal security coverage for your container software supply chain. | ||
|
|
||
| Follow the steps in [How to set up Docker Hub as an external registry](defender-for-containers-enable-external-registry-for-docker-hub.md) to prepare your Docker Hub organization account for integration. | ||
|
|
||
| Provide these parameters from your Docker Hub user to establish a connection. | ||
|
|
||
| - Organization: Docker Hub organization name | ||
|
|
||
| - User: Assigned Docker Hub username | ||
|
|
||
| - Access token: Docker Hub user read-only access token | ||
|
|
||
| :::image type="content" source="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-docker-hub-connector-configure-access.png" lightbox="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-docker-hub-connector-configure-access.png" alt-text="Screenshot of the Docker Hub connector configure access panel."::: | ||
|
|
||
| 4. Review and generate | ||
|
|
||
| Review all the configured connector details before onboarding finalization. | ||
|
|
||
| :::image type="content" source="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-docker-hub-connector-review-generate.png" lightbox="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-docker-hub-connector-review-generate.png" alt-text="Screenshot of the Docker Hub connector review and generate panel."::: | ||
|
|
||
| 5. Validate connectivity | ||
|
|
||
| Verify the connection is successful and displays "Connected" on the environment’s settings screen. | ||
|
|
||
| :::image type="content" source="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-docker-hub-connector-verify.png" lightbox="media/agentless-vulnerability-assessment-docker-hub/defender-for-cloud-docker-hub-connector-verify.png" alt-text="Screenshot of the Docker Hub connector environment connected status in the Defender for Cloud environments panel."::: | ||
|
|
||
| 6. Validate feature capabilities | ||
|
|
||
| Docker Hub initiates container registry scanning within one hour after onboarding: | ||
|
|
||
| - Inventory – Make sure your Docker Hub connector and its security status appear in the Inventory view. | ||
|
|
||
| - Vulnerability Assessment – Ensure you receive the recommendation "(Preview) Container images in Docker Hub registry should have vulnerability findings resolved" for addressing security issues in your Docker Hub container images. | ||
|
|
42 changes: 42 additions & 0 deletions
42
...er-for-cloud/defender-for-containers-enable-external-registry-for-docker-hub.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| --- | ||
| title: How to onboard Docker Hub container registries | ||
| description: How to onboard Docker Hub container registries to Defender for Containers | ||
| ms.service: defender-for-cloud | ||
| ms.topic: how-to | ||
| ms.date: 09/25/2024 | ||
| --- | ||
|
|
||
| # How to onboard your Docker Hub container registries to Defender for Cloud Security Posture Management | ||
|
|
||
| Microsoft Defender for Containers connects to your organization's Docker Hub container registries using Defender for Cloud Security Posture Management to assess vulnerabilities in your Docker Hub container images. | ||
|
|
||
| To enable Defender for Containers to connect to your Docker Hub containers registry, you need to: | ||
|
|
||
| - Create in your Docker Hub organization account a dedicated user with access to all of the organization's container registries. | ||
| - Generate an access token for the Docker Hub dedicated user. | ||
| - Supply the Docker Hub dedicated user name and access token when configuring the Defender for Cloud Docker Hub connector. | ||
|
|
||
| ## Create a user in Docker Hub | ||
|
|
||
| 1. Before starting, verify that you: | ||
| - Own an organization Docker Hub account and have the appropriate permissions for creation and management of a Docker Hub user on the organization scope. | ||
| - Have already a dedicated user with your organization's email account (for example `mdc_user@contoso.com`), to be used only for Defender for Cloud connectivity. | ||
|
|
||
| 2. Invite the dedicated user via email to access all repositories in your organization as an "Editor". | ||
|
|
||
| :::image type="content" source="media/defender-for-containers-enable-external-registry-for-docker-hub/docker-hub-invite-member.png" alt-text="Screenshot of select an invite member." lightbox="media/defender-for-containers-enable-external-registry-for-docker-hub/docker-hub-invite-member.png"::: | ||
|
|
||
| :::image type="content" source="media/defender-for-containers-enable-external-registry-for-docker-hub/docker-hub-invite-editor-type-reduced.png" alt-text="Screenshot of invite a member." lightbox="media/defender-for-containers-enable-external-registry-for-docker-hub/docker-hub-invite-editor-type.png"::: | ||
|
|
||
| > [!NOTE] | ||
| > While the Editor privilege allows a user to modify Docker Hub registries, the access token created will allow Defender for Cloud read-only access. | ||
| 3. An email is sent to the dedicated user with a link to verify the email address. Select the verify link in the email and complete the process of creating a Docker Hub dedicated user. | ||
|
|
||
| ## Create an access token for the dedicated Docker Hub user | ||
|
|
||
| Sign in to Docker Hub as the dedicated user and generate an access token with "Read-Only" permissions. The access token is used to enable the Defender for Cloud to securely connect to your organization's Docker Hub account. Save this access token and the Docker Hub user name to configure the Defender for Cloud Docker Hub connector. | ||
|
|
||
| :::image type="content" source="media/defender-for-containers-enable-external-registry-for-docker-hub/docker-hub-create-access-token.png" alt-text="Screenshot of create an access token." lightbox="media/defender-for-containers-enable-external-registry-for-docker-hub/docker-hub-create-access-token.png"::: | ||
|
|
||
| :::image type="content" source="media/defender-for-containers-enable-external-registry-for-docker-hub/docker-hub-access-token-text.png" alt-text="Screenshot of view an access token." lightbox="media/defender-for-containers-enable-external-registry-for-docker-hub/docker-hub-access-token-text.png"::: |
Oops, something went wrong.