|
| 1 | +--- |
| 2 | +title: STIG |
| 3 | +description: Learn how Docker Hardened Images provide STIG-hardened container images with verifiable security scan attestations for government and enterprise compliance requirements. |
| 4 | +keywords: docker stig, stig-hardened images, stig guidance, openscap docker, secure container images |
| 5 | +--- |
| 6 | + |
| 7 | +## What is STIG? |
| 8 | + |
| 9 | +[Security Technical Implementation Guides |
| 10 | +(STIGs)](https://public.cyber.mil/stigs/) are configuration standards published |
| 11 | +by the U.S. Defense Information Systems Agency (DISA). They define security |
| 12 | +requirements for operating systems, applications, databases, and other |
| 13 | +technologies used in U.S. Department of Defense (DoD) environments. |
| 14 | + |
| 15 | +STIGs help ensure that systems are configured securely and consistently to |
| 16 | +reduce vulnerabilities. They are often based on broader requirements like the |
| 17 | +DoD's General Purpose Operating System Security Requirements Guide (GPOS SRG). |
| 18 | + |
| 19 | +## Why STIG guidance matters |
| 20 | + |
| 21 | +Following STIG guidance is critical for organizations that work with or support |
| 22 | +U.S. government systems. It demonstrates alignment with DoD security standards |
| 23 | +and helps: |
| 24 | + |
| 25 | +- Accelerate Authority to Operate (ATO) processes for DoD systems |
| 26 | +- Reduce the risk of misconfiguration and exploitable weaknesses |
| 27 | +- Simplify audits and reporting through standardized baselines |
| 28 | + |
| 29 | +Even outside of federal environments, STIGs are used by security-conscious |
| 30 | +organizations as a benchmark for hardened system configurations. |
| 31 | + |
| 32 | +STIGs are derived from broader NIST guidance, particularly [NIST Special |
| 33 | +Publication 800-53](https://csrc.nist.gov/publications/sp800), which defines a |
| 34 | +catalog of security and privacy controls for federal systems. Organizations |
| 35 | +pursuing compliance with 800-53 or related frameworks (such as FedRAMP) can use |
| 36 | +STIGs as implementation guides that help meet applicable control requirements. |
| 37 | + |
| 38 | +## How Docker Hardened Images help apply STIG guidance |
| 39 | + |
| 40 | +Docker Hardened Images (DHIs) include STIG variants that are scanned against |
| 41 | +custom STIG-based profiles and include signed STIG scan attestations. These |
| 42 | +attestations can support audits and compliance reporting. |
| 43 | + |
| 44 | +Docker creates custom STIG-based profiles for images based on the GPOS SRG and |
| 45 | +DoD Container Hardening Process Guide. Because DISA has not published a STIG |
| 46 | +specifically for containers, these profiles help apply STIG-like guidance to |
| 47 | +container environments in a consistent, reviewable way and are designed to |
| 48 | +reduce false positives common in container images. |
| 49 | + |
| 50 | +## Identify images that include STIG scan results |
| 51 | + |
| 52 | +Docker Hardened Images that include STIG scan results are labeled as **STIG** in |
| 53 | +the Docker Hardened Images catalog. |
| 54 | + |
| 55 | +To find DHI repositories with STIG image variants, [explore |
| 56 | +images](../how-to/explore.md) and: |
| 57 | + |
| 58 | +- Use the **STIG** filter on the catalog page |
| 59 | +- Look for **STIG** labels on individual image listings |
| 60 | + |
| 61 | +To find a STIG image variant within a repository, go to the **Tags** tab in the |
| 62 | +repository, and find images labeled with **STIG** in the **Compliance** column. |
| 63 | + |
| 64 | +## View and verify STIG scan results |
| 65 | + |
| 66 | +Docker provides a signed [STIG scan |
| 67 | +attestation](../core-concepts/attestations.md) for each STIG-hardened image. |
| 68 | +These attestations include: |
| 69 | + |
| 70 | +- A summary of the scan results, including the number of passed, failed, and not |
| 71 | + applicable checks |
| 72 | +- The name and version of the STIG profile used |
| 73 | +- Full output in both HTML and XCCDF (XML) formats |
| 74 | + |
| 75 | +### View STIG scan attestations |
| 76 | + |
| 77 | +You can retrieve and inspect a STIG scan attestation using the Docker Scout CLI: |
| 78 | + |
| 79 | +```console |
| 80 | +$ docker scout attest get \ |
| 81 | + --predicate-type https://docker.com/dhi/stig/v0.1 \ |
| 82 | + --verify \ |
| 83 | + --predicate \ |
| 84 | + <your-namespace>/dhi-<image>:<tag> |
| 85 | +``` |
| 86 | + |
| 87 | +### Extract HTML report |
| 88 | + |
| 89 | +To extract and view the human-readable HTML report: |
| 90 | + |
| 91 | +```console |
| 92 | +$ docker scout attest get <your-namespace>/dhi-<image>:<tag> \ |
| 93 | + --predicate-type https://docker.com/dhi/stig/v0.1 \ |
| 94 | + --verify \ |
| 95 | + --predicate \ |
| 96 | + | jq -r '.[0].output[] | select(.format == "html").content | @base64d' > stig_report.html |
| 97 | +``` |
| 98 | + |
| 99 | +### Extract XCCDF report |
| 100 | + |
| 101 | +To extract the XML (XCCDF) report for integration with other tools: |
| 102 | + |
| 103 | +```console |
| 104 | +$ docker scout attest get <your-namespace>/dhi-<image>:<tag> \ |
| 105 | + --predicate-type https://docker.com/dhi/stig/v0.1 \ |
| 106 | + --verify \ |
| 107 | + --predicate \ |
| 108 | + | jq -r '.[0].output[] | select(.format == "xccdf").content | @base64d' > stig_report.xml |
| 109 | +``` |
| 110 | + |
| 111 | +### View STIG scan summary |
| 112 | + |
| 113 | +To view just the scan summary without the full reports: |
| 114 | + |
| 115 | +```console |
| 116 | +$ docker scout attest get <your-namespace>/dhi-<image>:<tag> \ |
| 117 | + --predicate-type https://docker.com/dhi/stig/v0.1 \ |
| 118 | + --verify \ |
| 119 | + --predicate \ |
| 120 | + | jq -r '.[0] | del(.output)' |
| 121 | +``` |
| 122 | + |
| 123 | + |
0 commit comments