From 7fb438dc62ae011d56fa7fda75249fab64c13894 Mon Sep 17 00:00:00 2001 From: Craig Date: Wed, 18 Jun 2025 16:14:08 -0700 Subject: [PATCH] dhi: add fips Signed-off-by: Craig --- content/manuals/dhi/about/available.md | 23 ++++- content/manuals/dhi/core-concepts/_index.md | 4 + content/manuals/dhi/core-concepts/fips.md | 108 ++++++++++++++++++++ content/manuals/dhi/how-to/explore.md | 1 + 4 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 content/manuals/dhi/core-concepts/fips.md diff --git a/content/manuals/dhi/about/available.md b/content/manuals/dhi/about/available.md index 84219f7f625c..269b6eaeedb6 100644 --- a/content/manuals/dhi/about/available.md +++ b/content/manuals/dhi/about/available.md @@ -70,4 +70,25 @@ in a secure build environment and deploy it using a lean runtime image. For example, you might find tags like the following in a DHI repository: - `3.9.23-debian12`: runtime image for Python 3.9.23 -- `3.9.23-debian12-dev`: development image for Python 3.9.23 \ No newline at end of file +- `3.9.23-debian12-dev`: development image for Python 3.9.23 + +## FIPS variants + +Some Docker Hardened Images include a `-fips` variant. These variants use +cryptographic modules that have been validated under [FIPS +140](../core-concepts/fips.md), a U.S. government standard for secure +cryptographic operations. + +FIPS variants are designed to help organizations meet regulatory and compliance +requirements related to cryptographic use in sensitive or regulated +environments. + +You can recognize FIPS variants by their tag that includes `-fips`. + +For example: +- `3.13-fips`: FIPS variant of the Python 3.13 image +- `3.9.23-debian12-fips`: FIPS variant of the Debian-based Python 3.9.23 image + +FIPS variants can be used in the same way as any other Docker Hardened Image and +are ideal for teams operating in regulated industries or under compliance +frameworks that require cryptographic validation. diff --git a/content/manuals/dhi/core-concepts/_index.md b/content/manuals/dhi/core-concepts/_index.md index 369f77fb8881..fd098701864b 100644 --- a/content/manuals/dhi/core-concepts/_index.md +++ b/content/manuals/dhi/core-concepts/_index.md @@ -20,6 +20,10 @@ params: description: Learn how build provenance metadata helps trace the origin of Docker Hardened Images and support compliance with SLSA. icon: track_changes link: /dhi/core-concepts/provenance/ + - title: FIPS + description: Learn how Docker Hardened Images support FIPS 140 by using validated cryptographic modules and providing signed attestations for compliance audits. + icon: verified + link: /dhi/core-concepts/fips/ grid_concepts_risk: - title: Common Vulnerabilities and Exposures (CVEs) diff --git a/content/manuals/dhi/core-concepts/fips.md b/content/manuals/dhi/core-concepts/fips.md new file mode 100644 index 000000000000..4b67a57c545e --- /dev/null +++ b/content/manuals/dhi/core-concepts/fips.md @@ -0,0 +1,108 @@ +--- +title: FIPS +description: Learn how Docker Hardened Images support FIPS 140 through validated cryptographic modules to help organizations meet compliance requirements. +keywords: docker fips, fips 140 images, fips docker images, docker compliance, secure container images +--- + +## What is FIPS 140? + +[FIPS 140](https://csrc.nist.gov/publications/detail/fips/140/3/final) is a U.S. +government standard that defines security requirements for cryptographic modules +that protect sensitive information. It is widely used in regulated environments +such as government, healthcare, and financial services. + +FIPS certification is managed by the [NIST Cryptographic Module Validation +Program +(CMVP)](https://csrc.nist.gov/projects/cryptographic-module-validation-program), +which ensures cryptographic modules meet rigorous security standards. + +## Why FIPS compliance matters + +FIPS 140 compliance is required or strongly recommended in many regulated +environments where sensitive data must be protected, such as government, +healthcare, finance, and defense. These standards ensure that cryptographic +operations are performed using vetted, trusted algorithms implemented in secure +modules. + +Using software components that rely on validated cryptographic modules can help organizations: + +- Satisfy federal and industry mandates, such as FedRAMP, which require or + strongly recommend FIPS 140-validated cryptography. +- Demonstrate audit readiness, with verifiable evidence of secure, + standards-based cryptographic practices. +- Reduce security risk, by blocking unapproved or unsafe algorithms (e.g., MD5) + and ensuring consistent behavior across environments. + +## How Docker Hardened Images support FIPS compliance + +Docker Hardened Images (DHIs) include variants that use cryptographic modules +validated under FIPS 140. These images are intended to help organizations meet +compliance requirements by incorporating components that meet the standard. + +- FIPS image variants use cryptographic modules that are already validated under + FIPS 140. +- These variants are built and maintained by Docker to support environments with + regulatory or compliance needs. +- Docker provides signed test attestations that document the use of validated + cryptographic modules. These attestations can support internal audits and + compliance reporting. + +> [!NOTE] +> +> Using a FIPS image variant helps meet compliance requirements but does not +> make an application or system fully compliant. Compliance depends on how the +> image is integrated and used within the broader system. + +## Identify images that support FIPS + +Docker Hardened Images that support FIPS are marked as **FIPS** compliant +in the Docker Hardened Images catalog. + +To find DHI repositories with FIPS image variants, [explore images](../how-to/explore.md) and: + +- Use the **FIPS** filter on the catalog page +- Look for **FIPS** compliant on individual image listings + +These indicators help you quickly locate repositories that support FIPS-based +compliance needs. Image variants that include FIPS support will have a tag +ending with `-fips`, such as `3.13-fips`. + +## Validate FIPS-related tests using attestations + +Docker Hardened Images include a signed [test +attestation](../core-concepts/attestations.md) that documents the results of +automated image validation. For FIPS variants, this includes test cases that +verify whether the image uses FIPS-validated cryptographic modules. + +You can retrieve and inspect this attestation using the Docker Scout CLI: + +```console +$ docker scout attest get \ + --predicate-type https://scout.docker.com/tests/v0.1 \ + --predicate \ + /dhi-: --platform +``` + +For example: + +```console +$ docker scout attest get \ + --predicate-type https://scout.docker.com/tests/v0.1 \ + --predicate \ + docs/dhi-python:3.13-fips --platform linux/amd64 +``` + +The output is a structured JSON report. Individual test outputs are +base64-encoded under fields like `stdout`. You can decode them to review the raw +test output. + +To decode and view test results: + +```console +$ docker scout attest get \ + --predicate-type https://scout.docker.com/tests/v0.1 \ + --predicate \ + docs/dhi-python:3.13-fips --platform linux/amd64 \ + | jq -r '.results.tests[].extra.stdout' \ + | base64 -d +``` \ No newline at end of file diff --git a/content/manuals/dhi/how-to/explore.md b/content/manuals/dhi/how-to/explore.md index b1f4df1e59c2..a023ff99abf8 100644 --- a/content/manuals/dhi/how-to/explore.md +++ b/content/manuals/dhi/how-to/explore.md @@ -74,6 +74,7 @@ To explore image variants: The **Tags** page provides the following information: - Tags: A list of all available tags, also known as image variants. +- Compliance: Lists relevant compliance designations. For example, `FIPS`. - Distribution: The distribution that the variant is based on. For example, `debian 12` or `alpine 3.21`. - Package manager: The package manager that is available in the variant. For example, `apt`, `apk`, or `-` (no package manager). - Shell: The shell that is available in the variant. For example, `bash`, `busybox`, or `-` (no shell).