Best practices for consuming public Docker Hub content
Rishi Mukhopadhyay
Product Manager
With the proliferation of open source software in modern development environments, your environment may have dependencies on public container images stored in Docker Hub. Without proper configuration and controls, these dependencies can cause security and reliability risks within your CI/CD pipeline. In this blog, we outline some best practices that your teams can follow in order to reduce these risks.
Store local copies of public containers
Storing local copies of public containers wherever possible provides the highest reliability and allows for stronger security controls. The Open Containers Initiative published guidelines around consuming public content that you can refer to for additional details.
Use authentication when accessing Docker Hub
We recommend that any time you access Docker Hub, you do so in an authenticated manner instead of anonymously. In addition to security risks, making anonymous requests can also introduce risk of hitting rate limits, which may affect the reliability of your CI/CD pipelines. Depending on the architecture of your CI/CD infrastructure and the Google Cloud services that you use, there are a few options for authentication:
- Use Artifact Registry Remote Repositories: Instead of directly referencing Docker Hub repositories within your build processes, you can use Artifact Registry remote repositories to authenticate with Docker Hub and to provide a regional cache of your dependencies. The full instructions for using Docker Hub access tokens with Artifact Registry can be found in the following Artifact Registry documentation page: Configure remote repository authentication to Docker Hub.
- Use Cloud Build to interact with Docker Images: Cloud build provides authentication mechanisms for pulling Docker Hub images within your build steps. You can use these authentication mechanisms if you depend on Docker Hub images to build your container images.
The following Cloud build config file shows how to login to Docker using the Docker username and password stored in Secret Manager, and run a private image. For more information on using Cloud Build to interact with Docker Hub, see Interact with Docker Hub images.
Following the best practices outlined above improves security posture and reduces reliability risk within your CI/CD pipelines. Additionally, implementing the right authentication controls for your environments removes blockers in development later in production, and ensures corporate security standards are met or exceeded in the process.
In addition, the following related product pages and features may also be useful for you.