Control: 4.5 Ensure Content trust for Docker is Enabled
Description
Content trust is disabled by default and should be enabled in line with organizational security policy.
Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the identity and the publisher of specific image tags and ensures the provenance of container images.
Remediation
To enable content trust in a bash shell, you should enter the following command:
export DOCKER_CONTENT_TRUST=1
Alternatively, you could set this environment variable in your profile file so that content trust in enabled on every login.
Default Value
By default, content trust is disabled.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_4_5Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_4_5 --shareSQL
This control uses a named query:
with hostname as ( select btrim(stdout_output, E' \n\r\t') as host, _ctx ->> 'connection_name' as host_conn, _ctx from exec_command where command = 'hostname'),
command_output as ( select stdout_output, _ctx ->> 'connection_name' as conn from exec_command where command = 'echo $DOCKER_CONTENT_TRUST')select host as resource, case when o.stdout_output like '%1%' then 'ok' else 'alarm' end as status, case when o.stdout_output like '%1%' then host || ' Docker container trust enabled.' else host || ' Docker container trust disabled.' end as reason , h._ctx ->> 'connection_name' as connection_namefrom hostname as h, command_output as owhere h.host_conn = o.conn;