Docker PAT
Service Name: Docker
Service Description: Docker is a platform that enables developers to build, share, and run applications in containers. Docker Personal Access Tokens (PATs) are used to authenticate with Docker Hub and other Docker services.
Service Address: https://hub.docker.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the organization level for Docker Hub access.
Secret Access Scope: Grants access to Docker Hub repositories, allowing users to push, pull, and manage container images based on the token's permissions.
Secret Revokement URL: https://hub.docker.com/settings/security
Secret Example: dckr_pat_abcDEFghiJKLmnoPQRstuvwXYZ1234567890
Suspicious Activity Investigation Instructions:
- Review Docker Hub access logs for unusual pull or push activities.
- Check for unauthorized image publications or modifications to existing images.
- Monitor for unusual repository access patterns or unexpected image tags.
- Verify if the token has been used from unusual geographic locations.
- Review organization audit logs for suspicious administrative actions.
Mitigation Instructions:
- Log in to Docker Hub and navigate to your account settings.
- Go to the "Security" section.
- Locate the compromised Personal Access Token.
- Select Delete or Revoke to immediately invalidate the token.
- Create a new token with appropriate scopes if needed.
- Review and update repository permissions to ensure proper access controls.
- Consider enabling two-factor authentication for your Docker Hub account.
- Audit container images that may have been modified during the compromise period.