Security at Docker
Docker is dedicated to building customer trust by demonstrating that our products are secure. As you manage all your developer needs, you can rest easy knowing your data is in good hands.
Cybersecurity takes a community
Cybersecurity is a shared responsibility. Docker offers enterprise-level security features, compliance audits, privacy protections, and configurable security settings to support your company’s needs. Customers are also responsible for implementing security controls and best practices to strengthen their usage of Docker products.
Security materials
Report a vulnerability
If you’ve discovered a security vulnerability in Docker, we encourage you to report it responsibly. Please report security issues to [email protected] so that they can be quickly addressed by our team. Read Docker’s Vulnerability Disclosure Policy.
Security FAQs
Who’s responsible for Information Security at Docker?
At Docker, we believe that everyone is responsible for security. Docker has a cross-collaborative team supported by executive management that is responsible for cybersecurity within the organization and across Docker’s products. The team comprises Information Security, Security Engineering, IT, Data, Operations, and GRC resources.
This group drives internal and product security initiatives and collaborates on audits, incident and vulnerability management, security reviews of products, projects, vendors, and more.
Where can I find security notices on Docker products?
Does Docker have an Information Security policy?
Yes. Docker has a documented Information Security Policy, an overarching, umbrella policy with many sub-policies under its purview. Collectively, many policies comprise our Information Security Management System (ISMS).
How often does Docker test security controls?
Docker utilizes a compliance tool for automated, continuous testing. We regularly test controls based on their risk level, but all controls are tested at least annually.
How often is penetration testing performed and are reports available?
Docker has a reputable third party perform annual penetration tests of our products. Docker Hub, Docker Desktop, Docker Scout and Build Cloud are routinely tested. Test summaries and remediation status reports are available to customers under NDA.
How can I access Docker’s Security Policy Documentation?
Docker shares security policy TOCs with customers and prospective customers under NDA via our security profile on the Whistic platform. Customers can access Whistic by submitting a documentation request.
Does Docker have a vulnerability management policy?
Docker has a Vulnerability Management Policy, which includes requirements for asset scanning, anti-virus/anti-malware, and remediation/risk acceptance of identified vulnerabilities.
Does Docker perform risk assessments on third parties?
Yes, Docker performs a vendor due diligence review as part of onboarding all new, applicable third-parties. This analyzes the risk of each vendor. The review includes inspection of compliance attestations (e.g., SOC 2, ISO 27001, PCI) and other security / compliance related documentation.
Does Docker have 24/7 security monitoring?
Yes. Docker has 24/7 monitoring and alerting of critical and high-risk security events. Alerts are logged in our SIEM tool. High and critical events are routed to our security on-call tool.
Does Docker have a Secure Software Development Lifecycle (SSDLC) policy?
Yes. Docker has a formal SSDLC policy that defines requirements for security and privacy. All new Docker products and features must undergo a security and compliance review. Docker follows OWASP best practices as well.
Does Docker encrypt data in transit and at rest?
Yes. All data is encrypted in transit and at rest. Docker utilizes TLS 1.2 or greater, AES-256, etc.
Does Docker perform background checks on employees?
Yes. Docker performs background screening on all applicable employees prior to employment where allowed by local law. This includes employment, criminal, professional, academic, and references.
Does Docker have formalized onboarding, offboarding, access provisioning, and de-provisioning processes?
Yes. Docker has documented, approved, and communicated Human Resources Recruiting, as well as onboarding, offboarding, and Access Control policies. When personnel are terminated, Docker removes access within 24 hours. We also make access changes for transfers and changes of job functions as needed.
Do Docker employees have access to customer data?
Yes. But only authorized Docker employees and contractors are able to access scoped data as necessary and as appropriate based on their job responsibilities. Docker provisions access on the principle of least privilege.