> ## Documentation Index
> Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Content Trust Not Enabled (CIS 4.5)

> Ensure Content Trust is enabled to verify the integrity and publisher of Docker images

## Impact & Risk Analysis

* **Severity:** Medium
* **CIS Benchmark:** CIS 4.5
* **Impact:** **Spoofing & Compromised Provenance.** Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. Without it, there is no client-side verification of the identity and the publisher of specific image tags, allowing potential spoofing or the use of compromised images.

## Common Misconfiguration

Content trust is disabled by default in the Docker client. Unless explicitly enabled, Docker commands will not verify the signatures of images, and users might unknowingly pull malicious or untrusted images.

## Vulnerable Example

```bash theme={null}
# Vulnerable Environment (Default)
# DOCKER_CONTENT_TRUST is not set.
# The user pulls an image without verifying its provenance.
docker pull postgres:latest

```

```dockerfile theme={null}
# Vulnerable CI/CD Step
# No trust environment variable is defined.
RUN docker build -t myapp:latest .

```

## Secure Example

```bash theme={null}
# Secure Environment
# Enabling Content Trust enforces signature verification.
export DOCKER_CONTENT_TRUST=1

# Now, this command will fail if the image is not signed or the signature is invalid.
docker pull postgres:latest

```

## Audit Procedure

You should execute the following command to verify if Content Trust is enabled:

```bash theme={null}
echo $DOCKER_CONTENT_TRUST

```

* **Result:** This should return a value of `1`.
* **Fail:** If it returns an empty line or `0`, Content Trust is disabled.

## Remediation

To enable content trust in a bash shell, you should enter the following command:

```bash theme={null}
export DOCKER_CONTENT_TRUST=1

```

Alternatively, you could set this environment variable in your profile file (e.g., `.bashrc` or `.zshrc`) so that content trust is enabled on every login.
