Tuesday, April 30, 2019

Trusting Images from Docker Hub

On April 25th, Docker Hub reported a security breach that exposes credentials of 190,000 users. Bitnami has followed the security recommendations from Docker and immediately reset the credentials for all Bitnami developers and bots with access to the Bitnami Container Images.

We have verified that the public Bitnami Container Images available in Docker Hub have not been corrupted or modified. Lastly, we have validated the digest of all the container images that we build and test in our pipeline and compared them with the public ones in Docker Hub.

Bitnami signs all the containers in Docker Hub using Docker Content Trust (DCT). Content Trust gives you the ability to verify the integrity and the publisher of the container images from a registry and provides the ability to use digital signatures for data to send and receive from remote Docker registries.

Bitnami strongly recommends enabling Docker Content Trust to pull only signed container images from Docker Hub. To do so, use the command below:


This prevents the ability to pull container images that do not contain a valid signature.

You can also find Bitnami Container Images in alternative registries As with all of our images, these are maintained and up-to-date with all the available versions and tags. You can pull from these private and public registries:

AWS Marketplace
- Azure Marketplace
- Red Hat Container Catalog
- Google Container Registry
- Quay.io

You can also find links to the different registries per container at https://bitnami.com/stacks/containers

Bitnami Container Images in the different registries

If you have further questions about Bitnami Container Images or this security issue, please create an issue in any of our GitHub repositories (example) and we will be happy to help you.