dhi: add malware scan info (#24729)

craig-osterhout · web-flow · commit 41fb4e723de9 · 2026-04-15T08:01:56.000-07:00
## Description ### Summary - Add new Explore topic documenting how Docker scans DHI images for malware using ClamAV, including how to retrieve and verify the virus scan attestation - Update the base and customized build pipeline descriptions to include scanning (malware, secrets, vulnerabilities) as an explicit pipeline step - Add cross-references from the attestations page to the new malware scanning topic ### Details DHI images include a signed virus/malware scan attestation (`https://scout.docker.com/virus/v0.1`), but this wasn't documented anywhere beyond a one-line mention in the attestations table. This PR adds a dedicated Explore topic for it and integrates scanning into the build pipeline documentation. The attestation content was verified by pulling actual attestations from both a base image (`dhi.io/python:3.13`) and a customized image (`projectsteam/dhi-python-3:3.10-alpine3.22_curl`). Key findings that informed the docs: - The virus scan uses **ClamAV** (`clamav/clamav:stable`), scanning all OCI blobs including archives - The attestation payload is JSON with a base64-encoded ClamAV report - Both base and customized images get virus, secrets, and vulnerability scanning - Only base images get the functional **test** attestation — customized images do not ### Notable generated topics - https://deploy-preview-24729--docsdocker.netlify.app/dhi/explore/malware-scanning/ - https://deploy-preview-24729--docsdocker.netlify.app/dhi/explore/build-process/ ## Related issues or tickets Closes #24728 ## Reviews   - [ ] Editorial review --------- Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
diff --git a/content/manuals/dhi/core-concepts/attestations.md b/content/manuals/dhi/core-concepts/attestations.md
@@ -82,7 +82,7 @@ For more details, see [Verify image attestations](../how-to/verify.md#verify-ima
 | Scout SBOM                 | An SBOM generated and signed by Docker Scout, including additional Docker-specific metadata.                                                                                             |
 | Secrets scan               | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys.                                                                                       |
 | Tests                      | A record of automated tests run against the image, such as functional checks or validation scripts.                                                                                      |
-| Virus scan                 | Results of antivirus scans performed on the image layers.                                                                                                                                 |
+| Virus scan                 | Results of antivirus scans performed on the image layers. For details, see [Malware scanning](../explore/malware-scanning.md).                                                            |
 | CVEs (Scout format)        | A vulnerability report generated by Docker Scout, listing known CVEs and severity data.                                                                                                  |
 | SLSA provenance            | A standard [SLSA](https://slsa.dev/) provenance statement describing how the image was built, including build tool, parameters, and source.                                               |
 | SLSA verification summary  | A summary attestation indicating the image's compliance with SLSA requirements.                                                                                                          |
@@ -130,7 +130,7 @@ For more details, see [Verify Helm chart attestations](../how-to/verify.md#verif
 | Scout SBOM                 | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata.                                                                                |
 | Secrets scan               | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package.                                                                                                       |
 | Tests                      | A record of automated tests run against the chart to validate functionality and compatibility with referenced images.                                                                                                          |
-| Virus scan                 | Results of antivirus scans performed on the chart package.                                                                                                                                                                     |
+| Virus scan                 | Results of antivirus scans performed on the chart package. For details, see [Malware scanning](../explore/malware-scanning.md).                                                                                                |
 | CVEs (Scout format)        | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images.                                                                                                      |
 | SLSA provenance            | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials.                                                 |
 | SPDX SBOM                  | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references.                                                                                                              |
diff --git a/content/manuals/dhi/explore/_index.md b/content/manuals/dhi/explore/_index.md
@@ -25,6 +25,10 @@ params:
       description: See how Docker Hardened Images are automatically tested for standards compliance, functionality, and security.
       icon: science
       link: /dhi/explore/test/
+    - title: Malware scanning
+      description: Learn how Docker scans Docker Hardened Images for viruses and malware, and how to view and verify the scan attestation.
+      icon: bug_report
+      link: /dhi/explore/malware-scanning/
     - title: Responsibility overview
       description: Understand Docker's role and your responsibilities when using Docker Hardened Images as part of your secure software supply chain.
       icon: group
diff --git a/content/manuals/dhi/explore/build-process.md b/content/manuals/dhi/explore/build-process.md
@@ -118,8 +118,10 @@ Each Docker Hardened Image is built through an automated pipeline:
    projects, improving the code for the entire community. When fixes are accepted
    upstream, the DHI build pipeline applies the patch immediately to protect
    customers while the fix moves through the upstream release process.
-5. Testing: Images undergo comprehensive testing for compatibility and
-   functionality.
+5. Testing and scanning: Images undergo comprehensive
+   [testing](test.md) for compatibility and functionality, and are
+   [scanned for malware](malware-scanning.md), secrets, and
+   vulnerabilities.
 6. Signing and attestations: Docker signs each image and generates
    attestations (SBOMs, VEX documents, build provenance).
 7. Publishing: The signed image is published to the DHI registry and the
@@ -144,8 +146,8 @@ The following diagram shows the base image build flow:
                                                                                            |
                                                                                            v
 .-------------------.      .-------------------.      .-------------------.      .-------------------.
-| Cascade rebuilds  |<-----| Publish to        |<-----| Sign & generate   |<-----| Testing           |
-| (if needed)       |      | DHI registry      |      | attestations      |      |                   |
+| Cascade rebuilds  |<-----| Publish to        |<-----| Sign & generate   |<-----| Testing &         |
+| (if needed)       |      | DHI registry      |      | attestations      |      | scanning          |
 '-------------------'      '-------------------'      '-------------------'      '-------------------'
 ```
 
@@ -160,9 +162,11 @@ When you customize a DHI image with DHI Select or DHI Enterprise, the build proc
    DHI image is updated, an automated rebuild starts.
 3. Fetch base image: The latest base DHI image is fetched.
 4. Apply customizations: Your OCI artifacts are applied to the base image.
-5. Signing and attestations: Docker signs the customized image and generates
+5. Scanning: The customized image is [scanned for
+   malware](malware-scanning.md), secrets, and vulnerabilities.
+6. Signing and attestations: Docker signs the customized image and generates
    attestations (SBOMs, VEX documents, build provenance).
-6. Publishing: The signed customized image is published to Docker Hub and the
+7. Publishing: The signed customized image is published to Docker Hub and the
    attestations are published to the Docker Scout registry.
 
 Docker handles the entire process automatically, so you don't need to manage
@@ -172,14 +176,14 @@ customized images and managing any CVEs introduced by your OCI artifacts.
 The following diagram shows the customized image build flow:
 
 ```goat {class="text-sm"}
-.-------------------.      .-------------------.      .-------------------.
-| Docker monitors   |----->| Trigger rebuild   |----->| Fetch base        |
-| OCI artifacts     |      |                   |      | DHI image         |
-'-------------------'      '-------------------'      '-------------------'
-                                                               |
-                                                               v
-.-------------------.      .-------------------.      .-------------------.
-| Publish to        |<-----| Sign & generate   |<-----| Apply             |
-| Docker Hub        |      | attestations      |      | customizations    |
-'-------------------'      '-------------------'      '-------------------'
+.-------------------.      .-------------------.      .-------------------.      .-------------------.
+| Docker monitors   |----->| Trigger rebuild   |----->| Fetch base        |----->| Apply             |
+| OCI artifacts     |      |                   |      | DHI image         |      | customizations    |
+'-------------------'      '-------------------'      '-------------------'      '-------------------'
+                                                                                           |
+                                                                                           v
+                           .-------------------.      .-------------------.      .-------------------.
+                           | Publish to        |<-----| Sign & generate   |<-----| Scanning          |
+                           | Docker Hub        |      | attestations      |      |                   |
+                           '-------------------'      '-------------------'      '-------------------'
 ```
diff --git a/content/manuals/dhi/explore/feedback.md b/content/manuals/dhi/explore/feedback.md
@@ -3,7 +3,7 @@ title: Give feedback
 linkTitle: Feedback
 description: How to interact with the DHI team
 keywords: software supply chain security, feedback, bugs, discussion, questions
-weight: 50
+weight: 999
 aliases:
   - /dhi/about/feedback/
 ---
diff --git a/content/manuals/dhi/explore/malware-scanning.md b/content/manuals/dhi/explore/malware-scanning.md
@@ -0,0 +1,94 @@
+---
+title: Malware scanning
+description: Learn how Docker scans Docker Hardened Images for viruses and malware using ClamAV, and how to view and verify the scan attestation.
+keywords: docker hardened images, malware scanning, virus scan, clamav, attestation, image security
+weight: 50
+---
+
+The Docker Hardened Image (DHI) pipeline scans for viruses and malware as part
+of the build process. The scan results are embedded as a signed attestation,
+which you can independently retrieve and verify.
+
+## How it works
+
+Docker uses [ClamAV](https://www.clamav.net/), an open source antivirus engine,
+to scan every layer of each image. The scan runs automatically during the build
+process and checks all files in the image, including files inside archives, for
+known viruses and malware signatures.
+
+The scan results are published as a signed attestation attached to the image.
+The attestation includes the full ClamAV scan report, including the number of
+files scanned, the virus signature database version, and whether any infected
+files were detected.
+
+## View the malware scan attestation
+
+You can retrieve the malware scan attestation using the Docker Scout CLI.
+
+1. Use the `docker scout attest get` command with the virus scan predicate type:
+
+   ```console
+   $ docker scout attest get \
+     --predicate-type https://scout.docker.com/virus/v0.1 \
+     --predicate \
+     dhi.io/<image>:<tag>
+   ```
+
+   > [!NOTE]
+   >
+   > If the image exists locally on your device, you must prefix the image name
+   > with `registry://`. For example, use `registry://dhi.io/python` instead of
+   > `dhi.io/python`.
+
+   For example:
+
+   ```console
+   $ docker scout attest get \
+     --predicate-type https://scout.docker.com/virus/v0.1 \
+     --predicate \
+     dhi.io/python:3.13
+   ```
+
+   The output is a JSON object containing the scanner used and the base64-encoded
+   scan report:
+
+   ```json
+   {
+     "scanner": {
+       "report": "<base64-encoded ClamAV report>",
+       "uri": "clamav/clamav:stable"
+     }
+   }
+   ```
+
+   Decoding the report shows the full ClamAV output, ending with a scan summary:
+
+   ```text
+   ----------- SCAN SUMMARY -----------
+   Known viruses: 3627833
+   Engine version: 1.5.2
+   Scanned directories: 4
+   Scanned files: 21
+   Infected files: 0
+   Data scanned: 44.90 MiB
+   Data read: 23.88 MiB (ratio 1.88:1)
+   Time: 11.473 sec (0 m 11 s)
+   Start Date: 2026:04:12 02:36:19
+   End Date:   2026:04:12 02:36:30
+   ```
+
+2. Verify the attestation signature. To ensure the attestation is authentic and
+   signed by Docker, run:
+
+   ```console
+   $ docker scout attest get \
+     --predicate-type https://scout.docker.com/virus/v0.1 \
+     --verify \
+     dhi.io/<image>:<tag> --platform <platform>
+   ```
+
+   If the attestation is valid, Docker Scout confirms the signature and shows
+   the matching `cosign verify` command.
+
+To view other attestations, such as SBOMs or test results, see [Verify
+an image](../how-to/verify.md).
