don't store non open-source project images in a public registry

This is a serious of posts on thoughts and gotchas when architecting / developing solutions that involve docker.

Guidance

Unless specifically creating a public open-source project, do not store project images in a public registry (such as dockerhub).

Reasoning

By storing the image in a public registry as dockerhub you are exposing potentially confidential or security information to the public.

Since the image contains full details of how to build the image, this may contain the following information you do not wish to expose

  • Specific Versions of Operating Systems
  • Specific Patches
  • Specific Applications uses

This is all information that can be used to expose weaknesses in a solution. More dangerously your image file may inadvertently contain passwords, machine names, network names (if designed incorrectly), license keys which may in-turn cause a security breach.

The following image shows the information available on Dockerhub.

As you can see, the full installation script is present.
So... unless you are creating an open-source project, don't store your images in public repositories

chris hay

Read more posts by this author.