Docker typically pulls images from the network, which are usually curated and verified at the source. However, for the purpose of backup and restore, the Docker images can be saved using the docker save subcommand and loaded back using the docker load subcommand. This mechanism can also be used to load third-party images through unconventional means. Unfortunately, in such a practice, the Docker Engine cannot verify the source and, hence, the images can carry malicious code. So, as the first shield of safety, Docker extracts the image in a chrooted subprocess for privilege separation. Even though Docker ensures the privilege separation, it is not recommended to load arbitrary images.

Using container scanning to secure Docker deployments: Docker Content Trust (DCT) gives publishers an easy and expedited way to guarantee the authenticity of containers that are getting published in web-scale repositories such as Docker Hub. However, organizations need to take pragmatic measures to access, assess, and act accordingly for ensuring the security of their containerized applications throughout their complete life cycle. Precisely speaking, DCT is a means by which you can securely sign your Docker images that you have created to ensure that they are from who they say they are from.

Managing container security with Black Duck Hub: Black Duck Hub is a vital tool for managing the security of application containers throughout the full application life cycle. Black Duck Hub allows organizations to identify and track vulnerable open-source applications and components within their environment. Assessments draw on Black Duck's KnowledgeBase, which contains information on 1.1 million open-source projects and detailed data on more than 100,000 known open-source vulnerabilities across more than 350 billion lines of code. Through a partnership with Red Hat, Black Duck's ability to identify and inventory open source and proprietary code production environments is now being applied to containerized environments. Red Hat has launched Deep Container Inspection (DCI), an enterprise-focused offering that wraps container certification, policy and trust into an overall architecture for deploying and managing application containers. As part of DCI, Red Hat is partnering with Black Duck to give organizations a means of validating the contents of a container before, during, and after deployment.

Integration of Black Duck Hub's vulnerability scanning and mapping capabilities enables OpenShift customers to consume, develop, and run containerized applications with increased confidence and security, knowing that these applications contain code that has been independently validated and certified. The integration also provides a means to track the impact of newly disclosed vulnerabilities or changes related to container aging that may impact on security and risk. Black Duck Hub's application vulnerability scanning and mapping capability give Docker customers the ability to identify vulnerabilities both before and after deployment and spot issues that arise as containerized applications age or become exposed to new security vulnerabilities and attacks.