content/manuals/security/faqs/general.md
If you've discovered a security vulnerability in Docker, report it responsibly to [email protected] so Docker can quickly address it.
Docker Hub locks out users after 10 failed sign-in attempts within 5 minutes. The lockout duration is 5 minutes. This policy applies to Docker Hub, Docker Desktop, and Docker Scout authentication.
You can configure physical multi-factor authentication (MFA) through SSO using your identity provider (IdP). Check with your IdP if they support physical MFA devices like YubiKeys.
Docker uses tokens to manage user sessions with different expiration periods:
Docker also supports your IdP's default session timeout through SAML attributes. For more information, see SSO attributes.
Organizations use verified domains to distinguish user types. Team members with email domains other than verified domains appear as "Guest" users in the organization.
Docker activity logs are available for 90 days. You're responsible for exporting logs or setting up drivers to send logs to your internal systems for longer retention.
Yes, use the Export Members feature to export a CSV file containing your organization's users with role and team information.
Docker Desktop uses the host operating system's secure key management to store authentication tokens:
If SCIM isn't turned on, you must manually remove users from the organization. SCIM can automate user removal, but only for users added after SCIM is turned on. Users added before SCIM was turned on must be removed manually.
For more information, see Manage organization members.
For information about metadata stored by Docker Scout, see Data handling.
Security vetting for extensions is on the roadmap but isn't currently implemented. Extensions aren't covered as part of Docker's Third-Party Risk Management Program.
No direct setting exists to disable private repositories. However, Registry Access Management lets administrators control which registries developers can access through Docker Desktop via the Admin Console.