v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/docker_compliance
Overview
1Dashboards
88Controls
88Queries
2Variables
GitHub

Control: 4.5 Ensure Content trust for Docker is Enabled

Description

Content trust is disabled by default and should be enabled in line with organizational security policy.

Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the identity and the publisher of specific image tags and ensures the provenance of container images.

Remediation

To enable content trust in a bash shell, you should enter the following command:

export DOCKER_CONTENT_TRUST=1

Alternatively, you could set this environment variable in your profile file so that content trust in enabled on every login.

Default Value

By default, content trust is disabled.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_4_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_4_5 --share

SQL

This control uses a named query:

exec_docker_container_trust_enabled

Tags

category = Compliance
cis = true
cis_item_id = 4.5
cis_level = 2
cis_section_id = 4
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker