guides: add security guide

Author: sarahsanders-docker

content/guides/harden-docker/_index.md

@@ -0,0 +1,44 @@
+---
+title: Harden Docker for production
+linkTitle: Harden Docker
+summary:
+description: Learn how to configure Docker across your organization to harden Docker for proudction, especially in secure environments
+tags: [admin]
+params:
+  featured: true
+  time: 20 minutes
+  image:
+  resource_links:
+    - title:
+      url:
+---
+
+This guide is for teams deploying Docker in regulated, production, or security-conscious environments. It helps administrators enforce security best practices, apply organization-wide controls, and reduce the attack surface of Docker tools like Docker Desktop and Docker Hub.
+
+## Who's this for?
+
+- Organization administrators
+- Security engineers
+- IT teams responsible for enforcing organization-wide security policies
+
+## What you’ll learn
+
+This guide walks you through how to:
+
+- Enforce secure authentication using SSO and domain verification
+- Apply least-privilege access controls across your organization
+- Lock down Docker Desktop using centralized settings and policy enforcement
+- Monitor usage and integrate with compliance and security tooling
+- Align your Docker implementation with enterprise security and compliance requirements
+
+## Before you start
+
+To follow this guide, you’ll need:
+
+- A Docker Business subscription
+- Organization owner access to your Docker organization
+- Access to your identity provider (IdP) if configuring SSO
+- A list of domains to verify and manage
+- Docker Desktop installed on user machines
+
+If you’re new to Docker or managing organizations, start with the [Admin setup guide](/guides/admin-set-up) first.

content/guides/harden-docker/control-access.md

@@ -0,0 +1,88 @@
+---
+title: Control access with verified domains and groups
+description:
+weight: 20
+---
+
+In high-security environments, controlling access to Docker resources is
+paramount. By verifying your organization's domains and implementing
+group-based access controls, you can ensure that only authorized users can
+access your Docker resources.
+
+This module guides you through the process of verifying domains and setting up
+group mappings to enforce strict access controls.
+
+## Prerequisites
+
+Before you begin, ensure you have:
+
+- A Docker Business subscription
+- Organization owner access to your Docker organization or company
+- Access to your Domain Name System (DNS) provider to add TXT records
+- Access to your Identity Provider (IdP) to configure group mappings
+
+## Step two: Enable auto-provisioning
+
+Auto-provisioning automatically adds users to your organization when they sign
+in with an email address that matches your verified domain. This simplifies
+user management and ensures consistent security settings.
+
+To enable auto-provisioning:
+
+1. In the [Admin Console](https://app.docker.com/admin), navigate to
+the **Domain management** page and locate your verified domain.
+1. Select the **Actions** menu, then **Enable auto-provisioning**.
+1. Confirm the action in the pop-up modal.
+
+> [!NOTE]
+>
+> Auto-provisioning is optional and does not create accounts for new users, it
+adds existing unassociated users to your organization. For domains that are
+using SSO, Just-in-Time (JIT) provisioning overrides auto-provisioning.
+
+## Step three: Configure group mapping
+
+Group mapping automates permissions management by linking identity provider
+groups to Docker roles and teams. This ensures consistent access control
+policies and reduces manual errors in role assignments.
+
+1. Create groups in your IdP:
+    1. Use the format `organization:team` that matches the name of your Docker
+    organization and teams. For example, `docker:developers`.
+    1. Assign users to the appropriate groups in your IdP.
+1. Configure group mapping in Docker:
+    1. In the Admin Console, navigate to
+    **Security and access** > **Provisioning** > **Group mapping**.
+    1. Add the group names following the `organization:team` format.
+    1. Docker will automatically assign users to the corresponding teams based
+    on their group membership in your IdP.
+
+> [!NOTE]
+>
+> When groups are synced, Docker creates a team if it doesn’t already exist.
+For detailed instructions, see [Group mapping]().
+
+## Step four: Assign roles and permissions
+
+Assigning appropriate roles to users ensures they have the necessary
+permissions without over-provisioning access.
+
+- Member: Non-administrative role; can view other members in the same
+organization.
+- Editor: Partial administrative access; can create, edit, and delete
+repositories, and edit existing team’s access permissions.
+- Organization owner: Full administrative access; can manage repositories,
+teams, members, settings, and billing.
+
+For more information on roles and permissions, see [Roles and permissions]().
+
+## Best practices
+
+- Use verified domains: Ensure all users sign in with email addresses from
+your verified domains to maintain control over access.
+- Implement group mapping: Automate user assignments to teams and roles to
+reduce manual errors and maintain consistent access policies.
+- Regularly audit access: Create a schedule to review team memberships and role
+assignments to ensure they align with current organizational needs.
+- Limit privileged access: Assign the Organization Owner role sparingly to
+minimize the risk of unauthorized changes.

content/guides/harden-docker/enforce-secure-auth.md

@@ -0,0 +1,124 @@
+---
+title: Enforce secure authentication
+description:
+weight: 10
+---
+
+In regulated and security-sensitive environments, enforcing single sign-on
+(SSO) ensures all users authenticate through a centralized identity provider
+(IdP). This strengthens security, simplifies user management, and allows you to
+enforce organization-wide authentication policies.
+
+This module walks you through how to configure SSO for your Docker organization,
+enforce it for all users, and disable fallback sign-in methods.
+
+## Prerequisites
+
+Before you begin, ensure you have:
+
+- A Docker Business subscription
+- Admin access to your Docker organization or company
+- Access to your DNS provider
+- Access to your Identity Provider (IdP) admin console (e.g., Okta, Azure AD)
+
+## Step one: Add and verify your domain
+
+Verifying your organization’s domain is the first step in securing access. This
+process confirms ownership and allows you to enforce SSO and auto-provisioning.
+
+1. Sign in to the [Docker Admin Console](https://app.docker.com/admin) and
+select your organization from the **Choose profile** page.
+1. Add your domain:
+    1. Under **Security and access**, select **Domain management**.
+    1. Select **Add a domain**.
+    1. Enter your domain (e.g., `example.com`) and select **Add domain**.
+1. Verify your domain:
+    1. A pop-up modal will display a **TXT Record Value.**
+    1. Sign in to your DNS provider and add a TXT record using the provided value.
+    1. It may take up to 72 hours for DNS changes to propagate.
+    1. Once the TXT record is recognized, return to the Admin Console’s **Domain management** page and select **Verify**.
+
+> [!NOTE]
+>
+> For detailed instructions on adding TXT records with specific DNS providers,
+see [Domain management]().
+
+## Step two: Set up SSO
+
+Docker offers two types of SSO integration:
+
+- OIDC: For IdPs like Entra ID, Auth0, or Google Workspace
+- SAML 2.0: Widely supported by enterprise IdPs like Okta, Ping, and legacy
+providers
+
+Docker’s SSO configuration supports:
+
+- Just-in-Time (JIT) user provisioning
+- Multi-domain SSO
+- Group mapping for team assignment (covered in [Module 2]())
+
+To compare protocols and choose your setup path, start with the
+[SSO overview]().
+
+Then follow the instructions for your IdP:
+
+- [Set up OIDC SSO]()
+- [Set up SAML SSO]()
+
+Each guide walks you through:
+
+- Linking your verified domain to your IdP
+- Entering credentials
+- Mapping user claims
+- Testing the connection with a non-admin account
+
+## Step three: Enforce SSO
+
+Once you’ve confirmed the SSO connection works, you can enforce it across your
+organization to ensure all users authenticate through your IdP.
+
+To enforce SSO:
+
+1. In the [Admin Console](https://app.docker.com/admin), navigate
+to **Security and access** > **Authentication**.
+2. Under **SSO enforcement**, select **Enforce SSO for all users**.
+3. Confirm your changes.
+
+This step blocks users from signing in with Docker credentials and requires
+authentication via your IdP for any domain-matched account.
+
+## Step four: Enforce Docker Desktop sign-in
+
+To prevent users from running Docker Desktop anonymously or without
+organizational control, you can enforce sign-in at the Desktop client level.
+When enabled, users must sign in with a Docker ID to use Docker Desktop.
+
+This setting is enforced using centralized configuration methods like:
+
+- `admin-settings.json` for local testing and smaller rollouts
+- Mobile Device Management (MDM) tools for larger fleets
+
+To enable it:
+
+1. In your settings configuration, set:
+
+    ```json
+    {
+    	"enforceSignIn": true
+    }
+    ```
+
+2. Distribute the setting using one of the supported configuration
+methods (e.g., MDM, file copy, registry edit).
+
+For full details, see [Enforce sign-in]().
+
+## Best practices
+
+- Enable Just-in-Time (JIT) provisioning to streamline user onboarding.
+- Set up Multi-Factor Authentication (MFA) in your IdP for stronger
+authentication.
+- Use Enforce Sign-In on Docker Desktop to prevent unauthenticated or offline
+usage.
+- Avoid fallback authentication paths by enforcing SSO per domain.
+- Test with sample accounts before rolling out enforcement org-wide.

content/guides/harden-docker/monitor-activity.md

@@ -0,0 +1,91 @@
+---
+title: Secure Docker Desktop with Settings Management
+description:
+weight: 50
+---
+
+In hardened environments, it’s not enough to configure secure defaults. You
+also need ongoing visibility into how Docker is being used, where settings may
+drift, and whether your container environments meet compliance requirements.
+
+This module walks you through how to monitor Docker organization activity,
+audit Desktop settings across your fleet, and integrate with external tooling
+like SIEM or Slack.
+
+## Prerequisites
+
+Before you begin, ensure you have:
+
+- A Docker Business subscription
+- Organization owner access to your Docker organization
+- Docker Desktop deployed across managed machines
+- Optional. Docker Scout enabled for image analysis and SBOM indexing
+
+## Step one: Review activity logs
+
+Docker automatically tracks high-level organizational activity such as:
+
+- User sign-ins
+- Team and role changes
+- Repository actions
+- SSO enforcement status
+- Domain verification events
+
+To view logs:
+
+1. Go to the [Docker Admin Console](https://app.docker.com/admin)
+2. Select your organization.
+3. Navigate to **Activity Logs**.
+
+You can search by event type or user to trace changes across your org.
+
+## Step two: Monitor Desktop settings compliance
+
+If you're using centralized settings via `admin-settings.json` or the Admin
+Console, you can audit compliance across your fleet.
+
+To view compliance reports:
+
+1. In the Admin Console, go to **Settings management**.
+2. Open the **Reporting** tab to see which machines are:
+    - Compliant with enforced settings
+    - Out of sync or missing required controls
+
+## Step three: Set up Docker Scout for image visibility
+
+Use [Docker Scout](https://docs.docker.com/scout/) to track security posture at
+the container image level. Scout supports:
+
+- Software Bill of Materials (SBOM) indexing
+- Vulnerability scanning
+- Policy enforcement
+- Exceptions and remediation tracking
+
+You can integrate Scout with:
+
+- GitHub Actions
+- GitLab CI/CD
+- Jenkins
+- Azure DevOps
+- Artifactory, ECR, ACR, and more
+
+To start, visit the [Docker Scout integrations overview](https://docs.docker.com/scout/integrations/).
+
+## Step four: Enable alerts and external integrations
+
+For real-time visibility, consider integrating Docker logs and insights with:
+
+- Slack: Docker Scout supports alerting via Slack for policy violations and
+vulnerability reports
+- SIEM tools: Export activity logs or Scout scan results into tools like
+Splunk or Sentinel
+- Webhook-based integrations: Set up Docker Hub [webhooks](https://docs.docker.com/docker-hub/repos/manage/webhooks/) for image pull/push notifications
+
+## Best practices
+
+- Review activity logs regularly (weekly or during incident response).
+- Monitor settings compliance to detect drift across endpoints.
+- Enable SBOM indexing and scan enforcement via Docker Scout.
+- Push logs and alerts into your broader monitoring and alerting systems.
+- Use webhook or CI integrations to track image updates and policy violations
+in real time.