Home Explore Blog CI



docker
3rd chunk of `content/manuals/security/faqs/general.md`
8c9b5aad0f23cac323f8779a50eb8bc3f3a5bc440806234b0000000100000add
Docker provides various types of audit logs and log retention varies. For example, Docker activity logs are available for 90 days. You are responsible for exporting logs or setting up drivers to their own internal systems.

### Can I export a list of all users with their assigned roles and privileges and if so, in what format?

Using the [Export Members](../../admin/organization/members.md#export-members) feature, you can export to CSV a list of your organization's users with role and team information.

### How does Docker Desktop handle and store authentication information?

Docker Desktop utilizes the host operating system's secure key management for handling and storing authentication tokens necessary for authenticating with image registries. On macOS, this is [Keychain](https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web); on Windows, this is [Security and Identity API via Wincred](https://learn.microsoft.com/en-us/windows/win32/api/wincred/); and on Linux, this is [Pass](https://www.passwordstore.org/).

### How does Docker Hub secure passwords in storage and in transit?

This is applicable only when using Docker Hub's application-level password versus SSO/SAML. For users created through SSO Just-in-Time or SCIM provisioning, Docker Hub doesn't store passwords. For all other users, application-level passwords are salt-hashed in storage (SHA-256) and encrypted in transit (TLS).

### How do we de-provision users who are not part of our IdP? We use SSO but not SCIM

If SCIM isn't enabled, you have to manually remove users from the organization.
SCIM can automate this if your users are added after SCIM is enabled. Any users
added to your organization before SCIM is enabled must be removed manually.

For more information on manually removing users, see
[Manage organization members](/manuals/admin/organization/members.md).

### What metadata is collected from container images that Scout analyzes?

For information about the metadata stored by Docker Scout, see [Data handling](/manuals/scout/deep-dive/data-handling.md).

### How are extensions within the Marketplace vetted for security prior to placement?

Security vetting for extensions is on our roadmap however this vetting isn't currently done.

Extensions are not covered as part of Docker’s Third-Party Risk Management Program.

### Can I disable private repos in my organization via a setting to make sure nobody is pushing images into Docker Hub?

No. With [Registry Access Management](/manuals/security/for-admins/hardened-desktop/registry-access-management.md) (RAM), administrators can ensure that their developers using Docker Desktop only access allowed registries. This is done through the Registry Access Management dashboard in the Admin Console.
Title: Docker Security: Passwords, User Deprovisioning, Metadata, and Extensions
Summary
This section covers Docker's security practices, including how Docker Hub secures passwords using salt-hashing and TLS encryption, how to de-provision users when not using SCIM (manual removal is required), the metadata collected from container images analyzed by Scout, the current lack of security vetting for extensions in the Marketplace, and the inability to disable private repos in Docker Hub (but Registry Access Management can restrict registry access).