The Docker community expects to have a strong cryptographic guarantee regarding the code and versions of the Dockerized software. DCT is the new security-related feature associated with the 1.8 version of the Docker platform. DCT intrinsically integrates The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content.

TUF helps developers to secure new or existing software update systems, which are often found to be vulnerable to many known attacks. TUF addresses this widespread problem by providing a comprehensive and flexible security framework that developers can integrate with any software update system. A software update system is an application running on a client system that obtains and installs software. This can include updates to software that is already installed or even completely new software.

Protection against image forgery: Once trust is established, DCT provides the ability to withstand a malicious actor with a privileged network position also known as a Man-in-the-Middle (MitM) attack.

Protection against replay attacks: In the typical replay attacks, previously valid payloads are replayed to trick another system. In the case of software update systems, old versions of signed software can be presented as the most recent ones. If a user is fooled into installing an older version of a particular software, the malicious actor can make use of the known security vulnerabilities to compromise the user's host. DCT uses the timestamp key when publishing the image, providing protection against replay attacks. This ensures that what the user receives is the most recent one.

Protection against key compromise: If a key is compromised, you can utilize that offline key to perform a key rotation. That key rotation can only be done by the one with the offline key. In this scenario, you will need to create a new key and sign it with your offline key.

Other security-enhancing projects include the following:

• Clair: This is an open-source project for the static analysis of vulnerabilities in application Docker containers (https://github.com/coreos/clair). It audits the Docker image locally and also checks vulnerability in container registry integration. Finally, during the first run, Clair will bootstrap its database with vulnerability data from its data sources.
• Notary: The Docker Notary project is a framework that allows anyone to securely publish and access content (for example, Docker images) over a potentially insecure network. Notary allows a user to digitally sign and verify content.
• Project Nautilus: Nautilus is Docker's image scanning capability, which can examine images in Docker Hub to help vulnerabilities that may exist in Docker containers. Today, Nautilus only works with Docker Hub. It does not support private or on-premises registries.
• AuthZ Plugins: The native Docker access control is all or nothing—you either have access to all Docker resources or none. The AuthZ framework is Twistlock's contribution to the Docker code base. AuthZ allows anyone to write an authorization plugin for Docker to provide fine-grained access control to Docker resources.
• Docker Trusted Registry (DTR): This is Docker's enterprise version of Docker Hub. You can run DTR on-premises or in your virtual private cloud to support security or compliance requirements. Docker Hub is open source, whereas DTR is a subscription-based product sold by Docker. Communications with the registries use TLS, to ensure both confidentiality and content integrity. By default, the use of certificates trusted by the public PKI infrastructure is mandatory, but Docker allows the addition of a company internal CA root certificate to the trust store.