From 392ce76849fb8c3a1739f98ccce9d91c78fbbc8f Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Tue, 26 Sep 2023 16:24:35 +0200
Subject: [PATCH 1/3] scout: update licensing policy name and description

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
---
 .github/vale/Vocab/Technology/accept.txt | 2 ++
 content/scout/policy/_index.md           | 8 +++++---
 content/scout/policy/view.md             | 6 +++---
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/.github/vale/Vocab/Technology/accept.txt b/.github/vale/Vocab/Technology/accept.txt
index 72a3a7c713..2dfdda75b2 100644
--- a/.github/vale/Vocab/Technology/accept.txt
+++ b/.github/vale/Vocab/Technology/accept.txt
@@ -1,3 +1,4 @@
+AGPLv3
 APIs?
 ARM
 AWS
@@ -25,6 +26,7 @@ Fargate
 Fedora
 Flink
 GPG
+GPLv3
 GRUB
 GeoNetwork
 Git
diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md
index 775af3f068..8f704c672c 100644
--- a/content/scout/policy/_index.md
+++ b/content/scout/policy/_index.md
@@ -60,7 +60,7 @@ Docker Scout ships the following three out-of-the-box policies:
 
 - [Critical and high vulnerabilities with fixes](#critical-and-high-vulnerabilities-with-fixes)
 - [Critical vulnerabilities](#critical-vulnerabilities)
-- [Packages with GPL3+ licenses](#packages-with-gpl3-licenses)
+- [Packages with AGPLv3, GPLv3 licenses](#packages-with-agplv3-gplv3-licenses)
 
 These policies are turned on by default for Scout-enabled repositories. There's
 currently no way to turn off or configure these policies.
@@ -90,10 +90,12 @@ more critical vulnerabilities.
 This policy flags all critical vulnerabilities, whether or not there's a fix
 version available.
 
-### Packages with GPL3+ licenses
+### Packages with AGPLv3, GPLv3 licenses
 
 This policy requires that your artifacts don't contain packages distributed
-under a GPL3+ [copyleft](https://en.wikipedia.org/wiki/Copyleft) license.
+under an AGPLv3 or GPLv3 license. These licenses are protective
+[copyleft](https://en.wikipedia.org/wiki/Copyleft), and may be unsuitable for
+use in your software because of the restrictions they enforce.
 
 This policy is unfulfilled if your artifacts contain one or more packages with
 a violating license.
diff --git a/content/scout/policy/view.md b/content/scout/policy/view.md
index 60eb217ae1..f604438909 100644
--- a/content/scout/policy/view.md
+++ b/content/scout/policy/view.md
@@ -72,9 +72,9 @@ version that removes the vulnerability, when a fix version is available. To fix
 the issue, upgrade the package version to the fix version.
 
 For licensing-related policies, the list shows all packages whose license
-doesn't meet the policy criteria. To fix the issue, look for an alternative
-package distributed under a more appropriate license, or cut the dependency by
-reimplementing the functionality in your own code.
+doesn't meet the policy criteria. To fix the issue, find a way to remove the
+dependency to the violating package, for example by looking for an alternative
+package distributed under a more appropriate license.
 
 ## CLI
 

From 1931cfbc8fc013d405515a5935e5c05860f40b4d Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Fri, 29 Sep 2023 16:20:28 +0200
Subject: [PATCH 2/3] scout: base image policy

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
---
 content/scout/policy/_index.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md
index 8f704c672c..f0d3ad7498 100644
--- a/content/scout/policy/_index.md
+++ b/content/scout/policy/_index.md
@@ -61,6 +61,7 @@ Docker Scout ships the following three out-of-the-box policies:
 - [Critical and high vulnerabilities with fixes](#critical-and-high-vulnerabilities-with-fixes)
 - [Critical vulnerabilities](#critical-vulnerabilities)
 - [Packages with AGPLv3, GPLv3 licenses](#packages-with-agplv3-gplv3-licenses)
+- [Base images not up-to-date](#base-images-not-up-to-date)
 
 These policies are turned on by default for Scout-enabled repositories. There's
 currently no way to turn off or configure these policies.
@@ -99,3 +100,28 @@ use in your software because of the restrictions they enforce.
 
 This policy is unfulfilled if your artifacts contain one or more packages with
 a violating license.
+
+### Base images not up-to-date
+
+This policy requires that the base images you use are up-to-date.
+
+It's unfulfilled when the tag you used to build your image points to a
+different digest than what you're using. If there's a mismatch in digests, that
+means the base image you're using is out of date.
+
+#### No base image data
+
+There are cases when it's not possible to determine whether or not the base
+image is up-to-date. In such cases, the **Base images not up-to-date** policy
+gets flagged as having **No data**.
+
+This occurs when:
+
+- Docker Scout doesn't know what base image tag you used
+- The base image version you used has multiple tags, but not all tags are out
+  of date
+
+To make sure that Docker Scout always knows about your base image, you can
+attach [provenance attestations](../../build/attestations/slsa-provenance.md)
+at build-time. Docker Scout uses provenance attestations to find out the base
+image version.

From 2d48065c113ecc821afcd363440bf89d1315289f Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Mon, 2 Oct 2023 05:44:06 +0200
Subject: [PATCH 3/3] scout: policy redirect

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
---
 data/redirects.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/data/redirects.yml b/data/redirects.yml
index 7c9147e398..c5c25f6c47 100644
--- a/data/redirects.yml
+++ b/data/redirects.yml
@@ -578,6 +578,8 @@
   - /go/scout-quickstart/
 "/scout/ci/":
   - /go/scout-ci/
+"/scout/policy/":
+  - /go/scout-policy/
 # integrations
 "/scout/integrations/ci/gha/":
   - "/go/scout-gha/"