docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

scout: update policy names 

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
This commit is contained in:
David Karlsson 2024-08-05 14:07:54 +02:00
parent 3fbb70eaef
commit 1937e8e3c3
9 changed files with 83 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/build/building/best-practices.md
View File

@ -229,8 +229,8 @@ to look up and include the image digest for base image versions manually each
time you want to update it. And you're opting out of automated security fixes,
which is likely something you want to get.
Docker Scout has a built-in [**Outdated base images**
policy](../../scout/policy/_index.md#outdated-base-images) that checks for
Docker Scout has a built-in [**No outdated base images**
policy](../../scout/policy/_index.md#no-outdated-base-images) that checks for
whether the base image version you're using is in fact the latest version. This
policy also checks if pinned digests in your Dockerfile correspond to the
correct version. If a publisher updates an image that you've pinned, the policy

15
content/scout/integrations/code-quality/sonarqube.md
View File

@ -5,8 +5,8 @@ keywords: scout, supply chain, integration, code quality
---
The SonarQube integration enables Docker Scout to surface SonarQube quality
gate checks through Policy Evaluation, under a new [Quality gates passed
policy](../../policy/_index.md#quality-gates-passed).
gate checks through Policy Evaluation, under a new [SonarQube quality gates passed
policy](/scout/policy/#sonarqube-quality-gates-passed).
## How it works
@ -64,8 +64,9 @@ To integrate Docker Scout with SonarQube, ensure that:
integration overview, which lists all your SonarQube integrations and their
statuses.
From the integration overview page, you can go directly to the Quality gates
passed policy. This policy will have no results initially. To start seeing
evaluation results for this policy, trigger a new SonarQube analysis of your
project and push the corresponding image to a repository. For more information,
refer to the [Quality gates passed policy](../../policy/_index.md#quality-gates-passed).
From the integration overview page, you can go directly to the
**SonarQube quality gates passed** policy.
This policy will have no results initially. To start seeing evaluation results
for this policy, trigger a new SonarQube analysis of your project and push the
corresponding image to a repository. For more information, refer to the
[policy description](../../policy/_index.md#sonarqube-quality-gates-passed).

2
content/scout/integrations/source-code-management/github.md
View File

@ -34,7 +34,7 @@ containing security fixes. The `alpine:3.18` tag you've been using becomes
out-of-date; the `alpine:3.18` you're using is no longer the latest.
When this happens, Docker Scout detects the discrepancy and surfaces it through
the [Outdated base images](../../policy/_index.md#outdated-base-images) policy.
the [No outdated base images](/scout/policy/#no-outdated-base-images) policy.
When the GitHub integration's enabled, you'll also get automated suggestions on
how to update your base image. For more information about how Docker Scout can
help you automatically improve your supply chain conduct and security posture,

44
content/scout/policy/_index.md
View File

@ -32,9 +32,9 @@ image analysis feature, interpreting the analysis results against the rules
defined by policies.
A policy defines image quality criteria that your artifacts should fulfill.
For example, the **Copyleft licenses** policy flags packages distributed under a copyleft license.
For example, the **No copyleft licenses** policy flags packages distributed under a copyleft license.
If an image contains a copyleft-licensed package, that image is non-compliant with this policy.
Some policies, such as the **Copyleft licenses** policy, are configurable.
Some policies, such as the **No copyleft licenses** policy, are configurable.
Configurable policies let you adjust the criteria to better match your organization's needs.
In Docker Scout, policies are designed to help you ratchet forward your
@ -54,10 +54,10 @@ image up-to-dateness.
Docker Scout ships the following out-of-the-box policies:
- [Fixable critical and high vulnerabilities](#fixable-critical-and-high-vulnerabilities)
- [Copyleft licenses](#copyleft-licenses)
- [Outdated base images](#outdated-base-images)
- [High-profile vulnerabilities](#high-profile-vulnerabilities)
- [No fixable critical or high vulnerabilities](#no-fixable-critical-or-high-vulnerabilities)
- [No copyleft licenses](#no-copyleft-licenses)
- [No outdated base images](#no-outdated-base-images)
- [No high-profile vulnerabilities](#no-high-profile-vulnerabilities)
- [Supply chain attestations](#supply-chain-attestations)
- [Default non-root user](#default-non-root-user)
@ -70,9 +70,9 @@ policies](./configure.md).
There's also a set of [additional policies](#additional-policies) that can be
optionally enabled for repositories.
### Fixable critical and high vulnerabilities
### No fixable critical or high vulnerabilities
The **Fixable critical and high vulnerabilities** policy requires that your
The **No fixable critical or high vulnerabilities** policy requires that your
artifacts aren't exposed to known vulnerabilities where there's a fix version
available. Essentially, this means that there's an easy fix that you can deploy
for images that fail this policy: upgrade the vulnerable package to a version
@ -97,9 +97,9 @@ The following policy parameters are configurable in a custom version:
For more information about configuring policies, see [Configure policies](./configure.md).
### Copyleft licenses
### No copyleft licenses
The **Copyleft licenses** policy requires that your artifacts don't contain
The **No copyleft licenses** policy requires that your artifacts don't contain
packages distributed under an AGPLv3 or GPLv3 license. These licenses are
protective [copyleft](https://en.wikipedia.org/wiki/Copyleft), and may be
unsuitable for use in your software because of the restrictions they enforce.
@ -111,9 +111,9 @@ You can configure the list of licenses that this policy should look out for,
and add exceptions by specifying an allow-list (in the form of PURLs).
See [Configure policies](./configure.md).
### Outdated base images
### No outdated base images
The **Outdated base images** policy requires that the base images you use are
The **No outdated base images** policy requires that the base images you use are
up-to-date.
It's unfulfilled when the tag you used to build your image points to a
@ -123,9 +123,9 @@ means the base image you're using is out of date.
Your images need provenance attestations for this policy to successfully
evaluate. For more information, see [No base image data](#no-base-image-data).
### High-profile vulnerabilities
### No high-profile vulnerabilities
The **High-profile vulnerabilities** policy requires that your artifacts don't
The **No high-profile vulnerabilities** policy requires that your artifacts don't
contain vulnerabilities from Docker Scouts curated list. This list is kept
up-to-date with newly disclosed vulnerabilities that are widely recognized to
be risky.
@ -243,12 +243,12 @@ by default, Docker Scout supports the following optional policies. Before you
can enable these policies, you need to either configure the policies, or
configure the integration that the policy requires.
- [Unapproved base images](#unapproved-base-images)
- [Quality gates passed](#quality-gates-passed)
- [No unapproved base images](#no-unapproved-base-images)
- [SonarQube quality gates passed](#sonarqube-quality-gates-passed)
### Unapproved base images
### No unapproved base images
The **Unapproved base images** policy lets you restrict which base
The **No unapproved base images** policy lets you restrict which base
images you allow in your builds.
This policy checks whether the base images used in your builds match any of the
@ -297,9 +297,9 @@ This policy isn't enabled by default. To enable the policy:
Your images need provenance attestations for this policy to successfully
evaluate. For more information, see [No base image data](#no-base-image-data).
### Quality gates passed
### SonarQube quality gates passed
The Quality gates passed policy builds on the [SonarQube
The **SonarQube quality gates passed** policy builds on the [SonarQube
integration](../integrations/code-quality/sonarqube.md) to assess the quality
of your source code. This policy works by ingesting the SonarQube code analysis
results into Docker Scout.
@ -332,8 +332,8 @@ in the CLI.
## No base image data
There are cases when it's not possible to determine information about the base
images used in your builds. In such cases, the **Outdated base images** and
**Unapproved base images** policies get flagged as having **No data**.
images used in your builds. In such cases, the **No outdated base images** and
**No unapproved base images** policies get flagged as having **No data**.
This "no data" state occurs when:

6
content/scout/policy/remediation.md
View File

@ -17,7 +17,7 @@ results and recommendations.
Docker Scout provides remediation advice for the following policies:
- [Outdated base images](#outdated-base-image-remediation)
- [No outdated base images](#no-outdated-base-image-remediation)
- [Supply chain attestations](#supply-chain-attestations-remediation)
For images that violate policy, the recommendations focus on addressing
@ -60,9 +60,9 @@ temporary solution.
The side panel may also contain one or more help sections related to the
available recommendations.
## Outdated base image remediation
## No outdated base image remediation
The **Outdated base images** policy checks whether the base image you use is
The **No outdated base images** policy checks whether the base image you use is
up-to-date. The recommended actions displayed in the remediation side panel
depend on how much information Docker Scout has about your image. The more
information that's available, the better the recommendations.

26
content/scout/policy/scores.md
View File

@ -103,25 +103,25 @@ If you see an `N/A` score, consider the following:
The policies that influence the score, and their respective weights, are as follows:
| Policy | Points |
| --------------------------------------------------------------------------------------------------------- | ------ |
| [Fixable critical and high vulnerabilities](./_index.md#fixable-critical-and-high-vulnerabilities) | 20 |
| [High-profile vulnerabilities](./_index.md#high-profile-vulnerabilities) | 20 |
| [Supply chain attestations](./_index.md#supply-chain-attestations) | 15 |
| [Unapproved base images](./_index.md#unapproved-base-images) \* | 15 |
| [Outdated base images](./_index.md#outdated-base-images) | 10 |
| [Default non-root user](./_index.md#default-non-root-user) | 5 |
| AGPL v3-licensed software \*\* | 5 |
| Policy | Points |
| ---------------------------------------------------------------------------------------------------------- | ------ |
| [No fixable critical or high vulnerabilities](/scout/policy#no-fixable-critical-or-high-vulnerabilities) | 20 |
| [No high-profile vulnerabilities](/scout/policy#no-high-profile-vulnerabilities) | 20 |
| [Supply chain attestations](/scout/policy#supply-chain-attestations) | 15 |
| [No unapproved base images](/scout/policy/#no-unapproved-base-images) \* | 15 |
| [No outdated base images](/scout/policy#no-outdated-base-images) | 10 |
| [Default non-root user](/scout/policy#default-non-root-user) | 5 |
| No AGPL v3 licenses \*\* | 5 |
\* _The **Unapproved base images** policy used for health score evaluation also
\* _The **No unapproved base images** policy used for health score evaluation also
checks that the tags of Docker Official Images use supported tags and, where
applicable, that the Linux distro that the image uses is a supported distro
version. This is a policy configuration option that's enabled by default for
health score evaluation. For more information, refer to the
[Unapproved base images](/scout/policy/#unapproved-base-images) policy._
[Unapproved base images](/scout/policy/#no-unapproved-base-images) policy._
\*\* _The **AGPL v3-licensed software** policy is a subset of the
[Copyleft licenses](./_index.md#copyleft-licenses) policy._
\*\* _The **No AGPL v3 licenses** policy is a subset of the
[Copyleft licenses](./_index.md#no-copyleft-licenses) policy._
### Evaluation

24
content/scout/policy/view.md
View File

@ -100,18 +100,18 @@ $ docker scout policy \
Policy status FAILED (2/8 policies met, 3 missing data)
Status │ Policy │ Results
​─────────┼───────────────────────────────────────────┼──────────────────────────────
✓ │ Copyleft licenses │ 0 packages
! │ Default non-root user │
! │ Fixable critical and high vulnerabilities │ 2C 1H 0M 0L
✓ │ High-profile vulnerabilities │ 0C 0H 0M 0L
? │ Outdated base images │ No data
│ │ Learn more ↗
? │ Quality gates passed │ No data
│ │ Learn more ↗
! │ Supply chain attestations │ 2 deviations
? │ Unapproved base images │ No data
Status │ Policy │ Results
​─────────┼─────────────────────────────────────────────────────┼──────────────────────────────
✓ │ No copyleft licenses │ 0 packages
! │ Default non-root user
! │ No fixable critical or high vulnerabilities │ 2C 1H 0M 0L
✓ │ No high-profile vulnerabilities │ 0C 0H 0M 0L
? │ No outdated base images │ No data
│ Learn more ↗
? │ SonarQube quality gates passed │ No data
│ Learn more ↗
! │ Supply chain attestations │ 2 deviations
? │ No unapproved base images │ No data
...
```

18
content/scout/quickstart.md
View File

@ -163,14 +163,14 @@ $ docker scout quickview
...
Policy status FAILED (2/6 policies met, 2 missing data)
Status │ Policy │ Results
─────────┼───────────────────────────────────────────┼──────────────────────────────
✓ │ Copyleft licenses │ 0 packages
! │ Default non-root user │
! │ Fixable critical and high vulnerabilities │ 2C 16H 0M 0L
✓ │ High-profile vulnerabilities │ 0C 0H 0M 0L
? │ Outdated base images │ No data
? │ Supply chain attestations │ No data
Status │ Policy │ Results
─────────┼──────────────────────────────────────────────┼──────────────────────────────
✓ │ No copyleft licenses │ 0 packages
! │ Default non-root user
! │ No fixable critical or high vulnerabilities │ 2C 16H 0M 0L
✓ │ No high-profile vulnerabilities │ 0C 0H 0M 0L
? │ No outdated base images │ No data
? │ Supply chain attestations │ No data
```
Exclamation marks in the status column indicate a violated policy.
@ -239,7 +239,7 @@ The sidebar shows a compliance overview for the last pushed tag of a repository.
> It might take a few minutes before the results appear if this is your
> first time using the Docker Scout Dashboard.
Inspect the **Outdated base images** policy.
Inspect the **No outdated base images** policy.
This policy checks whether base images you use are up-to-date.
It currently has a non-compliant status,
because the example image uses an old version `alpine` as a base image.

26
content/scout/release-notes/platform.md
View File

@ -49,22 +49,22 @@ New features and enhancements released in the first quarter of 2024.
### 2024-03-29
The **High-profile vulnerabilities** policy now reports the `xz` backdoor
The **No high-profile vulnerabilities** policy now reports the `xz` backdoor
vulnerability [CVE-2024-3094](https://scout.docker.com/v/CVE-2024-3094). Any
images in your Docker organization containing the version of `xz/liblzma` with
the backdoor will be non-compliant with the **High-profile vulnerabilities**
the backdoor will be non-compliant with the **No high-profile vulnerabilities**
policy.
### 2024-03-20
The **Fixable critical and high vulnerabilities** policy now supports a
The **No fixable critical or high vulnerabilities** policy now supports a
**Fixable vulnerabilities only** configuration option, which lets you decide
whether or not to only flag vulnerabilities with an available fix version.
### 2024-03-14
The **All critical vulnerabilities** policy has been removed.
The **Fixable critical and high vulnerabilities** policy provides similar functionality,
The **No fixable critical or high vulnerabilities** policy provides similar functionality,
and will be updated in the future to allow for more extensive customization,
making the now-removed **All critical vulnerabilities** policy redundant.
@ -79,13 +79,13 @@ For more information and setup instructions, see
### 2024-01-23
New **Unapproved base images** policy, which lets you restrict which base
New **No unapproved base images** policy, which lets you restrict which base
images you allow in your builds. You define the allowed base images using a
pattern. Base images whose image reference don't match the specified patterns
cause the policy to fail.
For more information, see
[Unapproved base images](../policy/_index.md#unapproved-base-images).
[No unapproved base images](/scout/policy/#no-unapproved-base-images).
### 2024-01-12
@ -94,7 +94,7 @@ New **Default non-root user** policy, which flags images that would run as the
Specifying a non-root default user for your images can help strengthen your
runtime security.
For more information, see [Default non-root user](../policy/_index.md#default-non-root-user).
For more information, see [Default non-root user](/scout/policy/#default-non-root-user).
### 2024-01-11
@ -139,12 +139,12 @@ and related policy. SonarQube is an open-source platform for continuous
inspection of code quality. This integration lets you add SonarQube's quality
gates as a policy evaluation in Docker Scout. Enable the integration, push your
images, and see the SonarQube quality gate conditions surfaced in the new
**Quality gates passed** policy.
**SonarQube quality gates passed** policy.
For more information, see:
- [Integration and setup instructions](../integrations/code-quality/sonarqube.md)
- [Quality gates passed policy](../policy/_index.md#quality-gates-passed)
- [SonarQube quality gates passed policy](/scout/policy/#sonarqube-quality-gates-passed)
### 2023-12-01
@ -175,16 +175,16 @@ images are built with SBOM and provenance attestations. Adding attestations to
images is a good first step in improving your supply chain conduct, and is
often a prerequisite for doing more.
See [Supply chain attestations policy](../policy/_index.md#supply-chain-attestations)
See [Supply chain attestations policy](/scout/policy/#supply-chain-attestations)
for details.
### 2023-11-01
New **High-profile vulnerabilities** policy, which ensures your artifacts are
New **No high-profile vulnerabilities** policy, which ensures your artifacts are
free from a curated list of vulnerabilities widely recognized to be risky.
For more information, see
[High-profile vulnerabilities policy](../policy/_index.md#high-profile-vulnerabilities).
[No high-profile vulnerabilities policy](/scout/policy/#no-high-profile-vulnerabilities).
### 2023-10-04
@ -218,7 +218,7 @@ with four out-of-the-box policies, enabled by default for all organizations.
You can view and evaluate policy status for images using the Docker Scout
Dashboard and the `docker scout policy` CLI command. For more information,
refer to the [Policy Evaluation documentation](../policy/_index.md).
refer to the [Policy Evaluation documentation](/scout/policy/).
#### Amazon ECR integration