docker-practice/data/5_Security/image_security_scan.yaml at v1.5 · efficience-it/docker-practice · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
questions:
  - uuid: b36df24b-b1b6-47a2-b8c1-4d0b4c98f689
    question: Which platform in Docker Enterprise (now Mirantis) allows scanning images for vulnerabilities?
    answers:
      - { value: 'UCP (Universal Control Plane, now MKE)', correct: false }
      - { value: 'Docker Hub', correct: false }
      - { value: 'DTR (Docker Trusted Registry, now MSR)', correct: true }
      - { value: 'Docker CLI', correct: false }
    help: https://docs.mirantis.com/docker-enterprise/v3.1/dockeree-products/dtr/security/scan-images.html

  - uuid: 3d30c8d6-bfcb-4bb5-b066-0b31633c7a2b
    question: When is a security scan triggered on an image in DTR (now MSR)?
    answers:
      - { value: 'Only manually from the UI', correct: false }
      - { value: 'Immediately after the image is pushed', correct: true }
      - { value: 'When building the image with a Dockerfile', correct: false }
      - { value: 'Every 24 hours automatically', correct: false }
    help: https://docs.mirantis.com/docker-enterprise/v3.1/dockeree-products/dtr/security/scan-images.html#image-scanning-flow

  - uuid: 6e5297cf-98c5-4978-a5a2-d9b87f119038
    question: Which status in DTR (now MSR) indicates that an image has no critical vulnerabilities?
    answers:
      - { value: 'ScanPending', correct: false }
      - { value: 'Pass', correct: true }
      - { value: 'Vulnerable', correct: false }
      - { value: 'Warning', correct: false }
    help: https://docs.mirantis.com/docker-enterprise/v3.1/dockeree-products/dtr/security/scan-images.html#scan-results

  - uuid: 51bd227f-7df8-48b4-8f90-1e88100cf037
    question: Where can the security results of an image be viewed in DTR (now MSR)?
    answers:
      - { value: 'In the DTR (now MSR) web interface under the specific image', correct: true }
      - { value: 'In the Swarm configuration', correct: false }
      - { value: 'On Docker Hub in the Security tab', correct: false }
      - { value: 'Using docker scan <image>', correct: false }
    help: https://docs.mirantis.com/docker-enterprise/v3.1/dockeree-products/dtr/security/scan-images.html#scan-results

  - uuid: 4a4210c4-93dc-49f2-a00e-204660a0ccba
    question: What type of vulnerabilities are detected by the DTR (now MSR) scanner?
    answers:
      - { value: 'Dockerfile syntax errors', correct: false }
      - { value: 'Flaws in volumes', correct: false }
      - { value: 'Secrets leaks in logs', correct: false }
      - { value: 'CVE (Common Vulnerabilities and Exposures)', correct: true }
    help: https://docs.mirantis.com/docker-enterprise/v3.1/dockeree-products/dtr/security/scan-images.html#image-scanning-flow

  - uuid: 93143c7e-6826-43e2-bc70-39f390e99c3e
    question: What is a good practice after detecting a critical CVE in an image?
    answers:
      - { value: 'Unpublish the image from the registry', correct: false }
      - { value: 'Ignore the alert if the container works', correct: false }
      - { value: 'Update packages and rebuild the image', correct: true }
      - { value: 'Switch to another registry', correct: false }
    help: https://docs.mirantis.com/docker-enterprise/v3.1/dockeree-products/dtr/security/scan-images.html#mitigate

  - uuid: 6c85d1e5-0106-4b0b-88b5-fd4079cfa01f
    question: Is it possible to block the execution of vulnerable images using rules?
    answers:
      - { value: 'No, Docker does not offer this level of security', correct: false }
      - { value: 'Yes, with admission rules in UCP (now MKE)', correct: true }
      - { value: 'Yes, but only on Docker Desktop', correct: false }
      - { value: 'Yes, but only via Docker Hub Pro', correct: false }
    help: https://docs.mirantis.com/docker-enterprise/v3.1/dockeree-products/ucp/rbac/admission-control.html

  - uuid: a7e14311-5b38-4dd3-bf88-76d881e5e5bc
    question: What vulnerability source is used by the DTR (now MSR) scanner?
    answers:
      - { value: 'The NIST CVE (National Vulnerability Database)', correct: true }
      - { value: 'Dockerfile linting', correct: false }
      - { value: 'Custom user-defined rules', correct: false }
      - { value: 'Logs of previous images', correct: false }
    help: https://docs.mirantis.com/docker-enterprise/v3.1/dockeree-products/dtr/security/scan-images.html#scanner

  - uuid: 4dd21887-b9a0-41ae-b39e-0ef360f3c264
    question: What does the "ScanPending" status mean for an image in DTR (now MSR)?
    answers:
      - { value: 'No issues detected', correct: false }
      - { value: 'The scan is running or scheduled but not yet complete', correct: true }
      - { value: 'Invalid image', correct: false }
      - { value: 'Scan disabled', correct: false }
    help: https://docs.mirantis.com/docker-enterprise/v3.1/dockeree-products/dtr/security/scan-images.html#scan-results