We have verified that the public Bitnami Container Images available in Docker Hub have not been corrupted or modified. Lastly, we have validated the digest of all the container images that we build and test in our pipeline and compared them with the public ones in Docker Hub.
Bitnami signs all the containers in Docker Hub using Docker Content Trust (DCT). Content Trust gives you the ability to verify the integrity and the publisher of the container images from a registry and provides the ability to use digital signatures for data to send and receive from remote Docker registries.
Bitnami strongly recommends enabling Docker Content Trust to pull only signed container images from Docker Hub. To do so, use the command below:
$ export DOCKER_CONTENT_TRUST=1
This prevents the ability to pull container images that do not contain a valid signature.
You can also find Bitnami Container Images in alternative registries As with all of our images, these are maintained and up-to-date with all the available versions and tags. You can pull from these private and public registries:
- AWS Marketplace
- Azure Marketplace
- Red Hat Container Catalog
- Google Container Registry
- Quay.io
You can also find links to the different registries per container at https://bitnami.com/stacks/containers
 |
| Bitnami Container Images in the different registries |
If you have further questions about Bitnami Container Images or this security issue, please create an issue in any of our GitHub repositories (example) and we will be happy to help you.