跳到主要內容

Onboard Docker Hub

Implementation Effort: Medium – Requires Docker Hub account configuration and secure integration with Microsoft Defender for Containers.

User Impact: Low – Onboarding is handled by security and DevOps teams; end users are not directly affected.

Overview

Onboarding Docker Hub in Microsoft Defender for Containers enables vulnerability scanning and security posture assessment of container images stored in Docker Hub. This integration allows Defender for Containers to apply the same security capabilities used for cloud-native registries like Azure Container Registry (ACR), Amazon ECR, and Google GCR 1.

Steps to Onboard Docker Hub

  1. Create a Dedicated Docker Hub User:

    • Use your organization's Docker Hub account to create a dedicated user (e.g., mdc_user@contoso.com).
    • Assign the user the Editor role across all repositories.
    • The user will receive a verification email—complete the verification process 2.
  2. Generate a Read-Only Access Token:

    • Sign in as the dedicated user.
    • Generate a read-only access token to be used by Defender for Cloud.
    • Save the token and username securely 2.
  3. Configure the Docker Hub Connector in Defender for Cloud:

    • Go to Microsoft Defender for Cloud > Environment settings.
    • Select your subscription and navigate to Container registries.
    • Add a new Docker Hub connector and provide the dedicated username and access token 2.

Once connected, Defender for Containers will begin scanning images in Docker Hub for vulnerabilities and compliance issues.

This capability supports the "Verify Explicitly" principle of Zero Trust by ensuring that only validated and secure container images are used in your environments.

Reference