docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17862 from dvdksn/scout/integrations 

scout/integrations
This commit is contained in:
David Karlsson 2023-08-10 20:52:10 +02:00 committed by GitHub
parent e2ce6c5a8f e63a4f2085
commit 4899ffee3e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 528 additions and 430 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
_data/toc.yaml
View File

@ -1944,14 +1944,30 @@ manuals:
title: Advanced image analysis
- path: /scout/dashboard/
title: Dashboard
- path: /scout/ci/
title: Continuous integration
- path: /scout/artifactory/
title: Artifactory integration
- path: /scout/advisory-db-sources/
title: Advisory Database
- path: /scout/data-handling/
title: Data handling
- sectiontitle: Integrations
section:
- title: Overview
path: /scout/integrations/
- sectiontitle: Container registries
section:
- title: Artifactory
path: /scout/integrations/registry/artifactory/
- sectiontitle: Continuous integration
section:
- title: GitHub Actions
path: /scout/integrations/ci/gha/
- title: GitLab
path: /scout/integrations/ci/gitlab/
- title: Microsoft Azure DevOps Pipelines
path: /scout/integrations/ci/azure/
- title: Circle CI
path: /scout/integrations/ci/circle-ci/
- title: Jenkins
path: /scout/integrations/ci/jenkins/
- sectiontitle: Docker Admin (Early Access)
section:

23
_redirects.yml
View File

@ -81,12 +81,6 @@
# provide a short, permanent link to refer to a topic in the documentation.
# For example, the docker CLI can output https://docs.docker.com/go/some-topic
# in its help output, which can be redirected to elsewhere in the documentation.
"/scout/":
- /go/scout/
"/scout/quickstart/":
- /go/scout-quickstart/
"/scout/ci/":
- /go/scout-ci/
"/docker-hub/access-tokens/":
- /go/access-tokens/
"/desktop/mac/apple-silicon/":
@ -580,7 +574,22 @@
"/scout/":
- /go/scout/
- /go/docker-scout/
"/scout/artifactory":
"/scout/quickstart/":
- /go/scout-quickstart/
"/scout/ci/":
- /go/scout-ci/
# integrations
"/scout/integrations/ci/gha/":
- "/go/scout-gha/"
"/scout/integrations/ci/gitlab/":
- "/go/scout-gitlab/"
"/scout/integrations/ci/azure/":
- "/go/scout-azure/"
"/scout/integrations/ci/circle-ci/":
- "/go/scout-circle-ci/"
"/scout/integrations/ci/jenkins/":
- "/go/scout-jenkins/"
"/scout/integrations/registry/artifactory":
- /go/scout-artifactory/
# Telepresence

2
build/ci/github-actions/index.md
View File

@ -52,7 +52,7 @@ refer to the following sections:
- [Share built image between jobs](share-image-jobs.md)
- [Test before push](test-before-push.md)
- [Update Docker Hub repository description](update-dockerhub-desc.md)
- [Analyzing images with Docker Scout](../../../scout/ci.md)
- [Analyzing images with Docker Scout](../../../scout/integrations/ci/gha.md)
## Get started with GitHub Actions

6
desktop/use-desktop/images.md
View File

@ -98,8 +98,8 @@ By default, when you go to **Images** in Docker Desktop, you see a list of image
The **Local** and **Hub** tabs near the top toggles between viewing images in your local image store,
and images in remote Docker Hub repositories that you have access to.
You can also [connect JFrog Artifactory registries](#connect-an-artifactory-registry),
and browse images in JFrog repositories directly in Docker Desktop.
For more information about supported integrations, see
[Integrating Docker Scout](../../scout/integrations/index.md).
### Hub
@ -123,7 +123,7 @@ The integration described here connects your local Docker Desktop client with Ar
You can browse, filter, save, and pull images in the Artifactory instance you configure.
You may also want to consider activating automatic image analysis for your Artifactory repositories.
Learn more about [Artifactory integration with Docker Scout](../../scout/artifactory.md).
Learn more about [Artifactory integration with Docker Scout](../../scout/integrations/registry/artifactory.md).
#### Connect an Artifactory registry

5
scout/advisory-db-sources.md
View File

@ -62,9 +62,8 @@ images that Docker Scout can then match to CVEs. Find more details on how this
works in the [Advanced image analysis document](./advanced-image-analysis.md).
Docker Scout is ideal for analyzing images in Docker Desktop and Docker Hub, but
the flexibility of the approach also means it can integrate with other image
sources, for example, [JFrog
Artifactory](https://docs.docker.com/scout/artifactory/).
the flexibility of the approach also means it can integrate with other systems,
see [Integrating Docker Scout with other systems](./integrations/index.md).
## How Docker Scout makes more precise matches

399
scout/ci.md
View File

@ -1,399 +0,0 @@
---
description: How to setup Docker Scout in continuous integration pipelines
keywords: scanning, vulnerabilities, Hub, supply chain, security, ci, continuous integration, github actions, gitlab
title: Using Docker Scout in continuous integration
---
{% include scout-early-access.md %}
You can analyze Docker images in continuous integration pipelines as you build
them using a GitHub action or the Docker Scout CLI plugin.
## GitHub Actions
You can use [the Docker Scout GitHub action](https://github.com/docker/scout-action) to run Docker Scout CLI commands
as part of a workflow.
The following example works in a repository containing a Docker image's
definition and contents. Triggered by a pull request, the action builds the
image and uses Docker Scout to compare the new version to the current published
version.
First, set up the rest of the workflow. There's a lot that's not specific to
Docker Scout but needed to create the images to compare. For more details on
those actions and using GitHub Actions with Docker in general, see [the GitHub Actions documentation](../build/ci/github-actions/index.md).
Add the following to a GitHub Actions YAML file:
{% raw %}
```yaml
name: Docker
on:
push:
tags: ["*"]
branches:
- "main"
pull_request:
branches: ["**"]
env:
# Use docker.io for Docker Hub if empty
REGISTRY: docker.io
IMAGE_NAME: ${{ github.repository }}
SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
```
{% endraw %}
This sets up the workflow to run on pull requests and pushes to the `main`
branch, and sets up environment variables available to all workflow steps. It
then defines a job called `build` that runs on the latest Ubuntu image and sets
the permissions available to the job.
Add the following to the YAML file:
{% raw %}
```yaml
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
ref: ${{ env.SHA }}
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v2.5.0
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@v2.1.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PAT }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v4.4.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.revision=${{ env.SHA }}
tags: |
type=edge,branch=$repo.default_branch
type=semver,pattern=v{{version}}
type=sha,prefix=,suffix=,format=short
```
{% endraw %}
This creates workflow steps to checkout the repository, set up Docker buildx,
log into the Docker registry, and extract metadata from Git reference and GitHub
events to use in later steps.
Add the following to the YAML file:
{% raw %}
```yaml
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v4.0.0
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
```
{% endraw %}
This uses the extracted metadata from the previous step to build and push the
Docker image to Docker Hub. GitHub Actions skips this step on pull requests and
only runs when a pull request is merged.
Add the following to the YAML file:
{% raw %}
```yaml
- name: Docker Scout
id: docker-scout
if: ${{ github.event_name == 'pull_request' }}
uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506
with:
command: compare
image: ${{ steps.meta.outputs.tags }}
to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:edge
ignore-unchanged: true
only-severities: critical,high
token: ${{ secrets.DOCKER_PAT }}
```
{% endraw %}
This final step uses the Docker Scout CLI to run [the `compare` command](../engine/reference/commandline/scout_compare.md), comparing the new
image to the published one. It only shows critical or high-severity
vulnerabilities and ignores vulnerabilities that haven't changed since the last
analysis.
The GitHub Action outputs the comparison results as a table and a summary in the
action output.
![A screenshot showing the results of Docker Scout output in a GitHub Action](./images/gha-output.png)
## GitLab
The following examples runs in GitLab CI in a repository containing a Docker
image's definition and contents. Triggered by a commit, the pipeline builds the
image. If the commit was to the default branch, it uses Docker Scout to get a
CVE report. If the commit was to a different branch, it uses Docker Scout to
compare the new version to the current published version.
First, set up the rest of the workflow. There's a lot that's not specific to
Docker Scout but needed to create the images to compare.
Add the following to a _.gitlab-ci.yml_ file at the root of your repository.
```yaml
docker-build:
image: docker:latest
stage: build
services:
- docker:dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
# Install curl and the Docker Scout CLI
- |
apk add --update curl
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
apk del curl
rm -rf /var/cache/apk/*
# Login to Docker Hub required for Docker Scout CLI
- docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PAT"
```
This sets up the workflow to build Docker images with GitLab's
"Docker-in-Docker" mode to run Docker inside a container.
It then downloads curl and the Docker CLI and logs into the GitLab CI registry
and the Docker registry using environment variables defined in your repository's
settings.
Add the following to the YAML file:
{% raw %}
```yaml
script:
- |
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
tag=""
echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
else
tag=":$CI_COMMIT_REF_SLUG"
echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
fi
- docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
- |
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
# Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
docker scout cves "$CI_REGISTRY_IMAGE${tag}" --exit-code --only-severity critical,high
else
# Compare image from branch with latest image from the default branch and fail if new critical or high CVEs are detected
docker scout compare "$CI_REGISTRY_IMAGE${tag}" --to "$CI_REGISTRY_IMAGE:latest" --exit-code --only-severity critical,high --ignore-unchanged
fi
- docker push "$CI_REGISTRY_IMAGE${tag}"
```
{% endraw %}
This creates the flow mentioned previously. If the commit was to the default
branch, Docker Scout generates a CVE report. If the commit was to a different
branch, Docker Scout compares the new version to the current published version.
It only shows critical or high-severity vulnerabilities and ignores
vulnerabilities that haven't changed since the last analysis.
Add the following to the YAML file:
```yaml
rules:
- if: $CI_COMMIT_BRANCH
exists:
- Dockerfile
```
These final lines ensure that the pipeline only runs if the commit contains a
Dockerfile and if the commit was to the CI branch.
_The following is a video walkthrough of the process of setting up the workflow with GitLab._
<div style="position: relative; padding-bottom: 64.86486486486486%; height: 0;"><iframe src="https://www.loom.com/embed/451336c4508c42189532108fc37b2560?sid=f912524b-276d-417d-b44a-c2d39719aa1a" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen style="position: absolute; top: 0; left: 0; width: 100%; height: 100%;"></iframe></div>
## Microsoft Azure DevOps Pipelines
The following examples runs in an Azure DevOps-connected repository containing a
Docker image's definition and contents. Triggered by a commit to the main
branch, the pipeline builds the image and uses Docker Scout to create a CVE
report.
First, set up the rest of the workflow and set up the variables available to all
pipeline steps. Add the following to an _azure-pipelines.yml_ file:
```yaml
trigger:
- main
resources:
- repo: self
variables:
tag: "$(Build.BuildId)"
image: "vonwig/nodejs-service"
```
This sets up the workflow to use a particular container image for the
application and tag each new image build with the build ID.
Add the following to the YAML file:
```yaml
stages:
- stage: Build
displayName: Build image
jobs:
- job: Build
displayName: Build
pool:
vmImage: ubuntu-latest
steps:
- task: Docker@2
displayName: Build an image
inputs:
command: build
dockerfile: "$(Build.SourcesDirectory)/Dockerfile"
repository: $(image)
tags: |
$(tag)
- task: CmdLine@2
displayName: Find CVEs on image
inputs:
script: |
# Install the Docker Scout CLI
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
# Login to Docker Hub required for Docker Scout CLI
docker login -u $(DOCKER_HUB_USER) -p $(DOCKER_HUB_PAT)
# Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
docker scout cves $(image):$(tag) --exit-code --only-severity critical,high
```
This creates the flow mentioned previously. It builds and tags the image using
the checked-out Dockerfile, downloads the Docker Scout CLI, and then runs the
`cves` command against the new tag to generate a CVE report. It only shows
critical or high-severity vulnerabilities.
## CircleCI
The following examples runs when triggered in CircleCI. When triggered, it
checks out the "docker/scout-demo-service:latest" image and tag and then uses
Docker Scout to create a CVE report.
Add the following to a _.circleci/config.yml_ file.
First, set up the rest of the workflow. Add the following to the YAML file:
```yaml
version: 2.1
jobs:
build:
docker:
- image: cimg/base:stable
environment:
IMAGE_TAG: docker/scout-demo-service:latest
```
This defines the container image the workflow uses and an environment variable
for the image.
Add the following to the YAML file to define the steps for the workflow:
```yaml
steps:
# Checkout the repository files
- checkout
# Set up a separate Docker environment to run `docker` commands in
- setup_remote_docker:
version: 20.10.24
# Install Docker Scout and login to Docker Hub
- run:
name: Install Docker Scout
command: |
env
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b /home/circleci/bin
echo $DOCKER_HUB_PAT | docker login -u $DOCKER_HUB_USER --password-stdin
# Build the Docker image
- run:
name: Build Docker image
command: docker build -t $IMAGE_TAG .
# Run Docker Scout
- run:
name: Scan image for CVEs
command: |
docker-scout cves $IMAGE_TAG --exit-code --only-severity critical,high
```
This checks out the repository files and then sets up a separate Docker
environment to run commands in.
It installs Docker Scout, logs into Docker Hub, builds the Docker image, and
then runs Docker Scout to generate a CVE report. It only shows critical or
high-severity vulnerabilities.
Finally, add a name for the workflow and the workflow's jobs:
```yaml
workflows:
build-docker-image:
jobs:
- build
```
## Jenkins
You can add the following stage and steps definition to a `Jenkinsfile` to run
Docker Scout as part of a Jenkins pipeline. The pipeline needs two secrets
defined to authenticate with Docker Hub: `DOCKER_HUB_USER` and `DOCKER_HUB_PAT`
It also needs an environment variable defined for the image and tag.
```groovy
stage('Analyze image') {
steps {
// Install Docker Scout
sh 'curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b /usr/local/bin'
// Log into Docker Hub
sh 'echo $DOCKER_HUB_PAT | docker login -u $DOCKER_HUB_USER --password-stdin'
// Analyze and fail on critical or high vulnerabilities
sh 'docker-scout cves $IMAGE_TAG --exit-code --only-serverity critical,high'
}
}
```
This installs Docker Scout, logs into Docker Hub, and then runs Docker Scout to
generate a CVE report for an image and tag. It only shows critical or
high-severity vulnerabilities.

13
scout/index.md
View File

@ -25,10 +25,9 @@ packages and layers called a [Software bill of materials (SBOM)](https://ntia.go
It then correlates this inventory with a continuously updated vulnerability
database to identify vulnerabilities in your images.
You can use Docker Scout in [Docker Desktop](#docker-desktop), [Docker Hub](#docker-hub), [continuous integration](./ci.md), the [Docker CLI](#docker-scout-cli),
and in
the [Docker Scout Dashboard](./dashboard.md). If you host your images in JFrog Artifactory, you
can also [use Docker Scout to analyze your images](./artifactory.md) there.
You can use Docker Scout in [Docker Desktop](#docker-desktop), [Docker Hub](#docker-hub), the [Docker CLI](#docker-scout-cli),
and in the [Docker Scout Dashboard](./dashboard.md). Docker Scout also supports integrations with third-party systems,
refer to [Integrating Docker Scout](./integrations/index.md) for more information.
{% include scout-plans.md %}
@ -116,9 +115,3 @@ an organization with your team. You can also use the dashboard settings to enabl
Docker Scout on multiple images from Docker Hub at once.
For more information, read the [Docker Scout Dashboard guide](./dashboard.md).
### JFrog Artifactory integration
Users of JFrog Artifactory, or JFrog Container Registry, can integrate Docker
Scout to enable automatic analysis of images locally and remotely. For more
information, see [Artifactory integration](./artifactory.md).

68
scout/integrations/ci/azure.md Normal file
View File

@ -0,0 +1,68 @@
---
description: How to integrate Docker Scout with Microsoft Azure DevOps Pipelines
keywords: supply chain, security, ci, continuous integration, azure, devops
title: Integrate Docker Scout with Microsoft Azure DevOps Pipelines
---
{% include scout-early-access.md %}
The following examples runs in an Azure DevOps-connected repository containing a
Docker image's definition and contents. Triggered by a commit to the main
branch, the pipeline builds the image and uses Docker Scout to create a CVE
report.
First, set up the rest of the workflow and set up the variables available to all
pipeline steps. Add the following to an _azure-pipelines.yml_ file:
```yaml
trigger:
- main
resources:
- repo: self
variables:
tag: "$(Build.BuildId)"
image: "vonwig/nodejs-service"
```
This sets up the workflow to use a particular container image for the
application and tag each new image build with the build ID.
Add the following to the YAML file:
```yaml
stages:
- stage: Build
displayName: Build image
jobs:
- job: Build
displayName: Build
pool:
vmImage: ubuntu-latest
steps:
- task: Docker@2
displayName: Build an image
inputs:
command: build
dockerfile: "$(Build.SourcesDirectory)/Dockerfile"
repository: $(image)
tags: |
$(tag)
- task: CmdLine@2
displayName: Find CVEs on image
inputs:
script: |
# Install the Docker Scout CLI
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
# Login to Docker Hub required for Docker Scout CLI
docker login -u $(DOCKER_HUB_USER) -p $(DOCKER_HUB_PAT)
# Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
docker scout cves $(image):$(tag) --exit-code --only-severity critical,high
```
This creates the flow mentioned previously. It builds and tags the image using
the checked-out Dockerfile, downloads the Docker Scout CLI, and then runs the
`cves` command against the new tag to generate a CVE report. It only shows
critical or high-severity vulnerabilities.

77
scout/integrations/ci/circle-ci.md Normal file
View File

@ -0,0 +1,77 @@
---
description: How to integrate Docker Scout with Circle CI
keywords: supply chain, security, ci, continuous integration, circle ci
title: Integrate Docker Scout with Circle CI
---
{% include scout-early-access.md %}
The following examples runs when triggered in CircleCI. When triggered, it
checks out the "docker/scout-demo-service:latest" image and tag and then uses
Docker Scout to create a CVE report.
Add the following to a _.circleci/config.yml_ file.
First, set up the rest of the workflow. Add the following to the YAML file:
```yaml
version: 2.1
jobs:
build:
docker:
- image: cimg/base:stable
environment:
IMAGE_TAG: docker/scout-demo-service:latest
```
This defines the container image the workflow uses and an environment variable
for the image.
Add the following to the YAML file to define the steps for the workflow:
```yaml
steps:
# Checkout the repository files
- checkout
# Set up a separate Docker environment to run `docker` commands in
- setup_remote_docker:
version: 20.10.24
# Install Docker Scout and login to Docker Hub
- run:
name: Install Docker Scout
command: |
env
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b /home/circleci/bin
echo $DOCKER_HUB_PAT | docker login -u $DOCKER_HUB_USER --password-stdin
# Build the Docker image
- run:
name: Build Docker image
command: docker build -t $IMAGE_TAG .
# Run Docker Scout
- run:
name: Scan image for CVEs
command: |
docker-scout cves $IMAGE_TAG --exit-code --only-severity critical,high
```
This checks out the repository files and then sets up a separate Docker
environment to run commands in.
It installs Docker Scout, logs into Docker Hub, builds the Docker image, and
then runs Docker Scout to generate a CVE report. It only shows critical or
high-severity vulnerabilities.
Finally, add a name for the workflow and the workflow's jobs:
```yaml
workflows:
build-docker-image:
jobs:
- build
```

146
scout/integrations/ci/gha.md Normal file
View File

@ -0,0 +1,146 @@
---
description: How to integrate Docker Scout with GitHub Actions
keywords: supply chain, security, ci, continuous integration, github actions
title: Integrate Docker Scout with GitHub Actions
---
{% include scout-early-access.md %}
You can use [the Docker Scout GitHub action](https://github.com/docker/scout-action) to run Docker Scout CLI commands
as part of a workflow.
The following example works in a repository containing a Docker image's
definition and contents. Triggered by a pull request, the action builds the
image and uses Docker Scout to compare the new version to the current published
version.
First, set up the rest of the workflow. There's a lot that's not specific to
Docker Scout but needed to create the images to compare. For more details on
those actions and using GitHub Actions with Docker in general, see [the GitHub Actions documentation](../../../build/ci/github-actions/index.md).
Add the following to a GitHub Actions YAML file:
{% raw %}
```yaml
name: Docker
on:
push:
tags: ["*"]
branches:
- "main"
pull_request:
branches: ["**"]
env:
# Use docker.io for Docker Hub if empty
REGISTRY: docker.io
IMAGE_NAME: ${{ github.repository }}
SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
```
{% endraw %}
This sets up the workflow to run on pull requests and pushes to the `main`
branch, and sets up environment variables available to all workflow steps. It
then defines a job called `build` that runs on the latest Ubuntu image and sets
the permissions available to the job.
Add the following to the YAML file:
{% raw %}
```yaml
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
ref: ${{ env.SHA }}
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v2.5.0
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@v2.1.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PAT }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v4.4.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.revision=${{ env.SHA }}
tags: |
type=edge,branch=$repo.default_branch
type=semver,pattern=v{{version}}
type=sha,prefix=,suffix=,format=short
```
{% endraw %}
This creates workflow steps to checkout the repository, set up Docker buildx,
log into the Docker registry, and extract metadata from Git reference and GitHub
events to use in later steps.
Add the following to the YAML file:
{% raw %}
```yaml
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v4.0.0
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
```
{% endraw %}
This uses the extracted metadata from the previous step to build and push the
Docker image to Docker Hub. GitHub Actions skips this step on pull requests and
only runs when a pull request is merged.
Add the following to the YAML file:
{% raw %}
```yaml
- name: Docker Scout
id: docker-scout
if: ${{ github.event_name == 'pull_request' }}
uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506
with:
command: compare
image: ${{ steps.meta.outputs.tags }}
to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:edge
ignore-unchanged: true
only-severities: critical,high
token: ${{ secrets.DOCKER_PAT }}
```
{% endraw %}
This final step uses the Docker Scout CLI to run [the `compare` command](../../../engine/reference/commandline/scout_compare.md), comparing the new
image to the published one. It only shows critical or high-severity
vulnerabilities and ignores vulnerabilities that haven't changed since the last
analysis.
The GitHub Action outputs the comparison results as a table and a summary in the
action output.
![A screenshot showing the results of Docker Scout output in a GitHub Action](../../images/gha-output.png)

93
scout/integrations/ci/gitlab.md Normal file
View File

@ -0,0 +1,93 @@
---
description: How to integrate Docker Scout with GitLab CI
keywords: supply chain, security, ci, continuous integration, gitlab
title: Integrate Docker Scout with GitLab CI
---
{% include scout-early-access.md %}
The following examples runs in GitLab CI in a repository containing a Docker
image's definition and contents. Triggered by a commit, the pipeline builds the
image. If the commit was to the default branch, it uses Docker Scout to get a
CVE report. If the commit was to a different branch, it uses Docker Scout to
compare the new version to the current published version.
First, set up the rest of the workflow. There's a lot that's not specific to
Docker Scout but needed to create the images to compare.
Add the following to a _.gitlab-ci.yml_ file at the root of your repository.
```yaml
docker-build:
image: docker:latest
stage: build
services:
- docker:dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
# Install curl and the Docker Scout CLI
- |
apk add --update curl
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
apk del curl
rm -rf /var/cache/apk/*
# Login to Docker Hub required for Docker Scout CLI
- docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PAT"
```
This sets up the workflow to build Docker images with GitLab's
"Docker-in-Docker" mode to run Docker inside a container.
It then downloads curl and the Docker CLI and logs into the GitLab CI registry
and the Docker registry using environment variables defined in your repository's
settings.
Add the following to the YAML file:
{% raw %}
```yaml
script:
- |
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
tag=""
echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
else
tag=":$CI_COMMIT_REF_SLUG"
echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
fi
- docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
- |
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
# Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
docker scout cves "$CI_REGISTRY_IMAGE${tag}" --exit-code --only-severity critical,high
else
# Compare image from branch with latest image from the default branch and fail if new critical or high CVEs are detected
docker scout compare "$CI_REGISTRY_IMAGE${tag}" --to "$CI_REGISTRY_IMAGE:latest" --exit-code --only-severity critical,high --ignore-unchanged
fi
- docker push "$CI_REGISTRY_IMAGE${tag}"
```
{% endraw %}
This creates the flow mentioned previously. If the commit was to the default
branch, Docker Scout generates a CVE report. If the commit was to a different
branch, Docker Scout compares the new version to the current published version.
It only shows critical or high-severity vulnerabilities and ignores
vulnerabilities that haven't changed since the last analysis.
Add the following to the YAML file:
```yaml
rules:
- if: $CI_COMMIT_BRANCH
exists:
- Dockerfile
```
These final lines ensure that the pipeline only runs if the commit contains a
Dockerfile and if the commit was to the CI branch.
_The following is a video walkthrough of the process of setting up the workflow with GitLab._
<div style="position: relative; padding-bottom: 64.86486486486486%; height: 0;"><iframe src="https://www.loom.com/embed/451336c4508c42189532108fc37b2560?sid=f912524b-276d-417d-b44a-c2d39719aa1a" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen style="position: absolute; top: 0; left: 0; width: 100%; height: 100%;"></iframe></div>

20
scout/integrations/ci/index.md Normal file
View File

@ -0,0 +1,20 @@
---
description: How to setup Docker Scout in continuous integration pipelines
keywords: scanning, vulnerabilities, Hub, supply chain, security, ci, continuous integration, github actions, gitlab
title: Using Docker Scout in continuous integration
redirect_from:
- /scout/ci/
---
{% include scout-early-access.md %}
You can analyze Docker images in continuous integration pipelines as you build
them using a GitHub action or the Docker Scout CLI plugin.
Available integrations:
- [GitHub Actions](gha.md)
- [GitLab](gitlab.md)
- [Microsoft Azure DevOps Pipelines](azure.md)
- [Circle CI](circle-ci.md)
- [Jenkins](jenkins.md)

32
scout/integrations/ci/jenkins.md Normal file
View File

@ -0,0 +1,32 @@
---
description: How to integrate Docker Scout with Jenkins
keywords: supply chain, security, ci, continuous integration, jenkins
title: Integrate Docker Scout with Jenkins
---
{% include scout-early-access.md %}
You can add the following stage and steps definition to a `Jenkinsfile` to run
Docker Scout as part of a Jenkins pipeline. The pipeline needs two secrets
defined to authenticate with Docker Hub: `DOCKER_HUB_USER` and `DOCKER_HUB_PAT`
It also needs an environment variable defined for the image and tag.
```groovy
stage('Analyze image') {
steps {
// Install Docker Scout
sh 'curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b /usr/local/bin'
// Log into Docker Hub
sh 'echo $DOCKER_HUB_PAT | docker login -u $DOCKER_HUB_USER --password-stdin'
// Analyze and fail on critical or high vulnerabilities
sh 'docker-scout cves $IMAGE_TAG --exit-code --only-serverity critical,high'
}
}
```
This installs Docker Scout, logs into Docker Hub, and then runs Docker Scout to
generate a CVE report for an image and tag. It only shows critical or
high-severity vulnerabilities.

44
scout/integrations/index.md Normal file
View File

@ -0,0 +1,44 @@
---
description: How to setup Docker Scout with other systems.
keywords: supply chain, security, integrations, registries, ci, environments
title: Integrating Docker Scout with other systems
---
{% include scout-early-access.md %}
By default, Docker Scout integrates with your Docker organization and your
Docker Scout-enabled repositories on Docker Hub. You can integrate Docker Scout
with additional third-party systems to get access to even more insights,
including realtime information about you running workloads.
## Integration categories
You'll get different insights depending on where and how you choose to integrate
Docker Scout.
### Container registries
Integrating Docker Scout with third-party container
registries enables Docker Scout to run image analysis on those repositories,
so that you can get insights into the composition of those images even if they
aren't hosted on Docker Hub.
The following container registry integrations are available:
- [Artifactory](./registry/artifactory.md)
- Amazon ECR (coming soon)
### Continuous Integration
Integrating Docker Scout with Continuous Integration (CI) systems is a great
way to get instant, automatic feedback about your security posture in your inner
loop. Analysis running in CI also gets the benefit of additional context that's
useful for getting even more insights.
The following CI integrations are available:
- [GitHub Actions](./ci/gha.md)
- [GitLab](./ci/gitlab.md)
- [Microsoft Azure DevOps Pipelines](./ci/azure.md)
- [Circle CI](./ci/circle-ci.md)
- [Jenkins](./ci/jenkins.md)

0
scout/artifactory.md → scout/integrations/registry/artifactory.md
View File

6
scout/quickstart.md
View File

@ -166,7 +166,8 @@ base images your images use.
You can see and share the same vulnerability information about an image and
the other images in your organization in the [Docker Scout Dashboard](./dashboard.md).
All organization members can see an overview of all their images from Docker Hub and Artifactory,
All organization members can see an overview of all their images from integrated container registries,
and get remediation advice at their fingertips. This helps team members in
security, compliance, and operations to know what vulnerabilities and issues to focus on.
@ -213,6 +214,5 @@ different tags of the same image.
- Explore the [Docker Scout Dashboard](/scout/dashboard) to see how you can
collaborate with your team on vulnerabilities.
- [Find out how to integrate Docker Scout with your CI/CD pipeline](/scout/ci).
- [Learn how to integrate Docker Scout with other systems](./integrations/index.md).
- [Find out where Docker Scout gets its vulnerability data](/scout/advisory-db-sources).
- [Integrate images from JFrog Artifactory](/scout/artifactory).