From cc011ff1b989a3a233076fefb3324168a1940fcb Mon Sep 17 00:00:00 2001 From: Craig Date: Tue, 12 Aug 2025 11:04:07 -0700 Subject: [PATCH] dhi: add cis compliance concept Signed-off-by: Craig --- content/manuals/dhi/core-concepts/_index.md | 11 +++++ content/manuals/dhi/core-concepts/cis.md | 53 +++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 content/manuals/dhi/core-concepts/cis.md diff --git a/content/manuals/dhi/core-concepts/_index.md b/content/manuals/dhi/core-concepts/_index.md index 419c5932bba1..faccba6105ce 100644 --- a/content/manuals/dhi/core-concepts/_index.md +++ b/content/manuals/dhi/core-concepts/_index.md @@ -20,6 +20,8 @@ params: description: Learn how build provenance metadata helps trace the origin of Docker Hardened Images and support compliance with SLSA. icon: track_changes link: /dhi/core-concepts/provenance/ + + grid_concepts_compliance: - title: FIPS description: Learn how Docker Hardened Images support FIPS 140 by using validated cryptographic modules and providing signed attestations for compliance audits. icon: verified @@ -28,6 +30,10 @@ params: description: Learn how Docker Hardened Images provide STIG-hardened container images with verifiable security scan attestations for government and enterprise compliance requirements. icon: policy link: /dhi/core-concepts/stig/ + - title: CIS Benchmarks + description: Learn how Docker Hardened Images help you meet Center for Internet Security (CIS) Docker Benchmark requirements for secure container configuration and deployment. + icon: check_circle + link: /dhi/core-concepts/cis/ grid_concepts_risk: - title: Common Vulnerabilities and Exposures (CVEs) @@ -84,10 +90,15 @@ and VEX. Start here if you want to understand how Docker Hardened Images support compliance, transparency, and security. + ## Security metadata and attestations {{< grid items="grid_concepts_metadata" >}} +## Compliance standards + +{{< grid items="grid_concepts_compliance" >}} + ## Vulnerability and risk management {{< grid items="grid_concepts_risk" >}} diff --git a/content/manuals/dhi/core-concepts/cis.md b/content/manuals/dhi/core-concepts/cis.md new file mode 100644 index 000000000000..3b2f72359666 --- /dev/null +++ b/content/manuals/dhi/core-concepts/cis.md @@ -0,0 +1,53 @@ +--- +title: CIS Benchmark +description: Learn how Docker Hardened Images comply with the CIS Docker Benchmark to help organizations harden container images for secure deployments. +keywords: docker cis benchmark, cis docker compliance, cis docker images, docker hardened images, secure container images +--- + +## What is the CIS Docker Benchmark? + +The [CIS Docker Benchmark](https://www.cisecurity.org/benchmark/docker) is part +of the globally recognized CIS Benchmarks, developed by the [Center for +Internet Security (CIS)](https://www.cisecurity.org/). It defines recommended secure +configurations for all aspects of the Docker container ecosystem, including the +container host, Docker daemon, container images, and the container runtime. + +## Why CIS Benchmark compliance matters + +Following the CIS Docker Benchmark helps organizations: + +- Reduce security risk with widely recognized hardening guidance. +- Meet regulatory or contractual requirements that reference CIS controls. +- Standardize image and Dockerfile practices across teams. +- Demonstrate audit readiness with configuration decisions grounded in a public standard. + +## How Docker Hardened Images comply with the CIS Benchmark + +Docker Hardened Images (DHIs) are designed with security in mind and are +verified to be compliant with the relevant controls from the latest CIS +Docker Benchmark (v1.8.0) for the scope that applies to container images and +Dockerfile configuration. + +CIS-compliant DHIs are compliant with all controls in Section 4, with the sole +exception of the control requiring Docker Content Trust (DCT), which [Docker +officially retired](https://www.docker.com/blog/retiring-docker-content-trust/). +By starting from a CIS-compliant DHI, teams can adopt image-level best practices +from the benchmark more quickly and confidently. + +> [!NOTE] +> +> The CIS Docker Benchmark also includes controls for the host, daemon, and +> runtime. CIS-compliant DHIs address only the image and Dockerfile scope (Section +> 4). Overall compliance still depends on how you configure and operate the +> broader environment. + +## Identify CIS-compliant images + +CIS-compliant images are labeled as **CIS** in the Docker Hardened Images catalog. +To find them, [explore images](../how-to/explore.md) and look for the **CIS** +designation on individual listings. + +## Get the benchmark + +Download the latest CIS Docker Benchmark directly from CIS: +https://www.cisecurity.org/benchmark/docker