docker · aevesdocker · Apr 24, 2025 · Apr 23, 2025 · Apr 24, 2025 · Apr 24, 2025
@@ -22,7 +22,7 @@ For most cases, you don't need to create your own base image. Docker Hub
 contains a vast library of Docker images that are suitable for use as a base
 image in your build. [Docker Official
 Images](../../docker-hub/image-library/trusted-content.md#docker-official-images)
-have clear documentation, promote best practices, and are regularly updated
+have clear documentation, promote best practices, and are regularly updated.
 There are also [Docker Verified
 Publisher](../../docker-hub/image-library/trusted-content.md#verified-publisher-images)
 images, created by trusted publishing partners, verified by Docker.
@@ -77,7 +77,7 @@ To run your new image, use the `docker run` command:
 $ docker run --rm hello
 ```
 
-This example image can only successfully execute as long as the `hello` binary
+This example image can only be successfully executed as long as the `hello` binary
 doesn't have any runtime dependencies. Computer programs tend to depend on
 certain other programs or resources to exist in the runtime environment. For
 example:

@@ -83,23 +83,23 @@ Result 1: The local environment takes precedence, but the Compose file is not se
 
 Result 2: The `env_file` attribute in the Compose file defines an explicit value for `VALUE` so the container environment is set accordingly.
 
-Result 3: The `environment` attribute in the Compose file defines an explicit value for `VALUE`, so the container environment is set accordingly/
+Result 3: The `environment` attribute in the Compose file defines an explicit value for `VALUE`, so the container environment is set accordingly.
 
 Result 4: The image's `ENV` directive declares the variable `VALUE`, and since the Compose file is not set to override this value, this variable is defined by image
 
 Result 5: The `docker compose run` command has the `--env` flag set which an explicit value, and overrides the value set by the image. 
 
 Result 6: The `docker compose run` command has the `--env` flag set to replicate the value from the environment. Host OS value takes precedence and is replicated into the container's environment.
 
-Result 7: The `docker compose run` command has the `--env` flag set to replicate the value from the environment. Value from `.env` file is the selected to define the container's environment.
+Result 7: The `docker compose run` command has the `--env` flag set to replicate the value from the environment. Value from `.env` file is selected to define the container's environment.
 
 Result 8: The `env_file` attribute in the Compose file is set to replicate `VALUE` from the local environment. Host OS value takes precedence and is replicated into the container's environment.
 
-Result 9: The `env_file` attribute in the Compose file is set to replicate `VALUE` from the local environment. Value from `.env` file is the selected to define the container's environment.
+Result 9: The `env_file` attribute in the Compose file is set to replicate `VALUE` from the local environment. Value from `.env` file is selected to define the container's environment.
 
 Result 10: The `environment` attribute in the Compose file is set to replicate `VALUE` from the local environment. Host OS value takes precedence and is replicated into the container's environment.
 
-Result 11: The `environment` attribute in the Compose file is set to replicate `VALUE` from the local environment. Value from `.env` file is the selected to define the container's environment.
+Result 11: The `environment` attribute in the Compose file is set to replicate `VALUE` from the local environment. Value from `.env` file is selected to define the container's environment.
 
 Result 12: The `--env` flag has higher precedence than the `environment` and `env_file` attributes and is to set to replicate `VALUE` from the local environment. Host OS value takes precedence and is replicated into the container's environment.
 

@@ -45,6 +45,21 @@ Hub can be mirrored.
 The Registry can be configured as a pull through cache. In this mode a Registry
 responds to all normal docker pull requests but stores all content locally.
 
+### Using Registry Access Management (RAM) with a registry mirror
+
+If Docker Hub access is restricted via your Registry Access Management (RAM) configuration, you will not be able to pull images originating from Docker Hub even if the images are available in your registry mirror.
+
+You will encounter the following error:
+```console
+Error response from daemon: Access to docker.io has been restricted by your administrators.
+```
+
+If you are unable to allow access to Docker Hub, you can manually pull from your registry mirror and optionally, retag the image. For example:
+```console
+docker pull <your-registry-mirror>[:<port>]/library/busybox
+docker tag <your-registry-mirror>[:<port>]/library/busybox:latest busybox:latest
+```
+
 ## How does it work?
 
 The first time you request an image from your local registry mirror, it pulls

@@ -84,26 +84,24 @@ Learn more about the `docker scout cves` command in the
 
 ## Step 4: Fix application vulnerabilities
 
-The fix suggested by Docker Scout is to update
-the underlying vulnerable express version to 4.17.3 or later.
+After the Docker Scout analysis, a high vulnerability CVE-2022-24999 was found, caused by an outdated version of the **express** package.
 
-1. Update the `package.json` file with the new package version.
+The version 4.17.3 of the express package fixes the vulnerability. Therefore, update the `package.json` file to the new version:
 
    ```diff
       "dependencies": {
    -    "express": "4.17.1"
    +    "express": "4.17.3"
       }
    ```
-
-2. Rebuild the image with a new tag and push it to your Docker Hub repository:
+   
+Rebuild the image with a new tag and push it to your Docker Hub repository:
 
    ```console
    $ docker build --push -t <ORG_NAME>/scout-demo:v2 .
    ```
 
-Now, viewing the latest tag of the image in Docker Desktop, the Docker Scout
-Dashboard, or CLI, you can see that you have fixed the vulnerability.
+Run the `docker scout` command again and verify that HIGH CVE-2022-24999 is no longer present:
 
 ```console
 $ docker scout cves --only-package express
@@ -154,7 +152,7 @@ $ docker scout config organization <ORG_NAME>
 
 Now you can run the `quickview` command to get an overview
 of the compliance status for the image you just built.
-The image is evaluated against the default policy configurations.
+The image is evaluated against the default policy configurations. You'll see output similar to the following:
 
 ```console
 $ docker scout quickview
@@ -209,7 +207,7 @@ The classic image store doesn't support manifest lists,
 which is how the provenance attestations are attached to an image.
 
 Open **Settings** in Docker Desktop. Under the **General** section, make sure
-that the **Use containerd for pulling and storing images** option is checked.
+that the **Use containerd for pulling and storing images** option is checked, then select **Apply & Restart**.
 Note that changing image stores temporarily hides images and containers of the
 inactive image store until you switch back.
 
@@ -230,7 +228,9 @@ results through a different lens: the Docker Scout Dashboard.
 3. Select **Images** in the left-hand navigation.
 
 The images page lists your Scout-enabled repositories.
-Select the image in the list to open the **Image details** sidebar.
+
+Select the row for the image you want to view, anywhere in the row except on a link, to open the **Image details** sidebar.
+
 The sidebar shows a compliance overview for the last pushed tag of a repository.
 
 > [!NOTE]
@@ -239,13 +239,15 @@ The sidebar shows a compliance overview for the last pushed tag of a repository.
 > It might take a few minutes before the results appear if this is your
 > first time using the Docker Scout Dashboard.
 
-Inspect the **Up-to-Date Base Images** policy.
+Go back to the image list and select the image version, available in the **Most recent image** column.
+Then, at the top right of the page, select the **Update base image** button to inspect the policy.
+
 This policy checks whether base images you use are up-to-date.
 It currently has a non-compliant status,
 because the example image uses an old version `alpine` as a base image.
 
-Select the **View fix** button next to the policy name for details about the violation,
-and recommendations on how to address it.
+Close the **Recommended fixes for base image** modal. In the policy listing, select **View fixes** button, next to the policy name for details about the violation, and recommendations on how to address it.
+
 In this case, the recommended action is to enable
 [Docker Scout's GitHub integration](./integrations/source-code-management/github.md),
 which helps keep your base images up-to-date automatically.

@@ -121,6 +121,8 @@ tampered with by the users.
 
 4. Use a MDM solution to distribute your modified `.mobileconfig` file to your macOS clients. 
 
+5. Verify that the profile is added to **Device (Managed)** profiles list (**System Settings** > **General** > **Device Management**) on your macOS clients.
+
 ## plist method (Mac only)
 
 > [!NOTE]

@@ -89,6 +89,7 @@ earlier Linux kernel series).
 This will be resolved in the updated 5.15 series Linux kernel.
 - Images pulled by Docker Desktop when Docker Debug or Kubernetes is enabled,
 are not restricted by default even if Docker Hub is blocked by RAM.
+- If Docker Hub access is restricted by RAM, pulls on images originating from Docker Hub are restricted even if the image has been previously cached by a registry mirror. See [Using Registry Access Management (RAM) with a registry mirror](/manuals/docker-hub/image-library/mirror.md).
 
 Also, Registry Access Management operates on the level of hosts, not IP
 addresses. Developers can bypass this restriction within their domain