Summary
The DHI build pipeline documentation doesn't mention malware scanning. Customers asking about which scanning tools are used in the pipeline get no answer from the docs (or from Gordon), because this information isn't documented anywhere.
What's missing
The following details should be added to the DHI documentation:
- Scanning tools used in the DHI build pipeline: ClamAV (with latest malware database) and Docker Scout are used to scan images for malware during the build process.
- Scope for base images: The malware scan runs as part of the automated build pipeline for all base DHI images.
- Scope for managed customizations (Select/Enterprise): When customers define customizations through the DHI-managed process, the malware scan runs across the whole image (base + customizations) during the customization pipeline.
- Scope limitation for self-managed customizations: When customers customize images in their own environment via a traditional Dockerfile (
FROM dhi.io/... ; COPY ...), Docker's pipeline scan does not cover the content added by the customer. Customers are responsible for scanning their own additions.
Where to add this
The most natural home is in How Docker Hardened Images are built (content/manuals/dhi/explore/build-process.md), which describes the build pipeline steps. Malware scanning should be added as an explicit step in both the base image pipeline and the customized image pipeline sections.
The customized image pipeline section should also clarify the scanning boundary — Docker scans the full image during its managed customization process, but content added via traditional Dockerfiles in the customer's own environment is outside of Docker's scanning scope.
Context
https://docker.slack.com/archives/C07V2MPK0SE/p1776144204384669 (internal slack)
Current state
build-process.md lists pipeline steps (monitoring → AI guardrail → human review → testing → signing → publishing) but has no malware scanning step.scan.md and scanner-integrations.md cover how users can scan DHI images with external tools — they don't describe what Docker scans for internally during the build.
Summary
The DHI build pipeline documentation doesn't mention malware scanning. Customers asking about which scanning tools are used in the pipeline get no answer from the docs (or from Gordon), because this information isn't documented anywhere.
What's missing
The following details should be added to the DHI documentation:
FROM dhi.io/... ; COPY ...), Docker's pipeline scan does not cover the content added by the customer. Customers are responsible for scanning their own additions.Where to add this
The most natural home is in How Docker Hardened Images are built (
content/manuals/dhi/explore/build-process.md), which describes the build pipeline steps. Malware scanning should be added as an explicit step in both the base image pipeline and the customized image pipeline sections.The customized image pipeline section should also clarify the scanning boundary — Docker scans the full image during its managed customization process, but content added via traditional Dockerfiles in the customer's own environment is outside of Docker's scanning scope.
Context
https://docker.slack.com/archives/C07V2MPK0SE/p1776144204384669 (internal slack)
Current state
build-process.mdlists pipeline steps (monitoring → AI guardrail → human review → testing → signing → publishing) but has no malware scanning step.scan.mdandscanner-integrations.mdcover how users can scan DHI images with external tools — they don't describe what Docker scans for internally during the build.