content/manuals/dhi/core-concepts/stig.md
{{< summary-bar feature_name="Docker Hardened Images" >}}
Security Technical Implementation Guides (STIGs) are configuration standards published by the U.S. Defense Information Systems Agency (DISA). They define security requirements for operating systems, applications, databases, and other technologies used in U.S. Department of Defense (DoD) environments.
STIGs help ensure that systems are configured securely and consistently to reduce vulnerabilities. They are often based on broader requirements like the DoD's General Purpose Operating System Security Requirements Guide (GPOS SRG).
Following STIG guidance is critical for organizations that work with or support U.S. government systems. It demonstrates alignment with DoD security standards and helps:
Even outside of federal environments, STIGs are used by security-conscious organizations as a benchmark for hardened system configurations.
STIGs are derived from broader NIST guidance, particularly NIST Special Publication 800-53, which defines a catalog of security and privacy controls for federal systems. Organizations pursuing compliance with 800-53 or related frameworks (such as FedRAMP) can use STIGs as implementation guides that help meet applicable control requirements.
Docker Hardened Images (DHIs) include STIG variants that are scanned against custom STIG-based profiles and include signed STIG scan attestations. These attestations can support audits and compliance reporting.
While Docker Hardened Images are available to all, the STIG variant requires a Docker subscription.
Docker creates custom STIG-based profiles for images based on the GPOS SRG and DoD Container Hardening Process Guide. Because DISA has not published a STIG specifically for containers, these profiles help apply STIG-like guidance to container environments in a consistent, reviewable way and are designed to reduce false positives common in container images.
Docker Hardened Images that include STIG scan results are labeled as STIG in the Docker Hardened Images catalog.
To find DHI repositories with STIG image variants, explore images and:
To find a STIG image variant within a repository, go to the Tags tab in the repository, and find images labeled with STIG in the Compliance column.
To use a STIG variant, you must mirror the repository and then pull the STIG image from your mirrored repository.
Docker provides a signed STIG scan attestation for each STIG-ready image. These attestations include:
You can retrieve and inspect a STIG scan attestation using the Docker Scout CLI:
$ docker scout attest get \
--predicate-type https://docker.com/dhi/stig/v0.1 \
--verify \
--predicate \
dhi.io/<image>:<tag>
To extract and view the human-readable HTML report:
$ docker scout attest get dhi.io/<image>:<tag> \
--predicate-type https://docker.com/dhi/stig/v0.1 \
--verify \
--predicate \
| jq -r '.[0].output[] | select(.format == "html").content | @base64d' > stig_report.html
To extract the XML (XCCDF) report for integration with other tools:
$ docker scout attest get dhi.io/<image>:<tag> \
--predicate-type https://docker.com/dhi/stig/v0.1 \
--verify \
--predicate \
| jq -r '.[0].output[] | select(.format == "xccdf").content | @base64d' > stig_report.xml
To view just the scan summary without the full reports:
$ docker scout attest get dhi.io/<image>:<tag> \
--predicate-type https://docker.com/dhi/stig/v0.1 \
--verify \
--predicate \
| jq -r '.[0] | del(.output)'