docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18060 from dvdksn/scout/ia-refactor 

scout: information architecture refactor
This commit is contained in:
David Karlsson 2023-08-30 18:05:53 +02:00 committed by GitHub
parent 2fd62141dc 224ca8d35f
commit 8c318a0a18
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 306 additions and 370 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/develop/security-best-practices.md
View File

@ -128,7 +128,7 @@ that affect images that you build or use.
which when enabled automatically scans images when you push them to a Docker Hub
repository. Requires a [Docker subscription](../subscription/index.md).
- Docker Hub also supports an early-access
[advanced image analysis](../scout/advanced-image-analysis.md) feature, which extends
[advanced image analysis](../scout/image-analysis.md) feature, which extends
the "core" vulnerability scanning solution with enhanced capabilities and more
detailed and actionable insights.
- For the CLI, there's the
@ -158,4 +158,4 @@ To summarize the topics covered in this guide:
- Ensure you carefully monitor and manage the tools and dependencies you add to
your image.
- Ensure you scan images at multiple stages during your development lifecycle.
- Check your images frequently for vulnerabilities.
- Check your images frequently for vulnerabilities.

10
content/docker-hub/vulnerability-scanning.md
View File

@ -43,10 +43,10 @@ There is no action required on your part. Scans continue to run as usual
with no interruption or changes to pricing. Historical data continues to be
available.
This page describes the Basic Hub vulnerability scanning feature. Docker Scout
also supports an [Advanced image analysis](../scout/advanced-image-analysis.md)
feature that provides more in-depth results and guided remediation steps for
improving your security posture.
This page describes the Basic Hub vulnerability scanning feature. There's also
the [Docker Scout image analysis](../scout/image-analysis.md) feature, that
provides more in-depth results and guided remediation steps for improving your
security posture.
## Scan images with Basic vulnerability scanning
@ -166,4 +166,4 @@ a repository. To disable scanning:
2. Go to **Repositories** and then select a repository from the list.
3. Go to the **Settings** tab.
4. Under **Image insight settings**, select **None**.
5. Select **Save**.
5. Select **Save**.

139
content/scout/_index.md
View File

@ -1,18 +1,45 @@
---
title: Docker Scout
keywords: scout, supply chain, vulnerabilities, packages, cves, scan, analysis, analyze
description: 'Docker Scout analyzes your images to help you understand their dependencies
description:
Docker Scout analyzes your images to help you understand their dependencies
and potential vulnerabilities
'
aliases:
- /atomist/
- /atomist/try-atomist/
- /atomist/configure/settings/
- /atomist/configure/advisories/
- /atomist/integrate/github/
- /atomist/integrate/deploys/
- /engine/scan/
- /atomist/
- /atomist/try-atomist/
- /atomist/configure/settings/
- /atomist/configure/advisories/
- /atomist/integrate/github/
- /atomist/integrate/deploys/
- /engine/scan/
grid:
- title: Quickstart
link: /scout/quickstart/
description: Learn what Docker Scout can do, and how to get started.
icon: explore
- title: Image analysis
link: /scout/image-analysis/
description: Reveal and dig into the composition of your images.
icon: radar
- title: Advisory database
link: /scout/advisory-db-sources/
description: Learn about the information sources that Docker Scout uses.
icon: database
- title: Integrations
description: |
Connect Docker Scout with your CI, registries, and other third-party services.
link: /scout/integrations/
icon: multiple_stop
- title: Dashboard
link: /scout/dashboard/
description: |
The web interface for Docker Scout.
icon: dashboard
- title: Policy {{< badge color=violet text=Beta >}}
link: /scout/policy/
description: |
Ensure that your artifacts align with supply chain best practices.
icon: policy
---
{{< include "scout-early-access.md" >}}
@ -27,93 +54,11 @@ packages and layers called a [Software bill of materials (SBOM)](https://ntia.go
It then correlates this inventory with a continuously updated vulnerability
database to identify vulnerabilities in your images.
You can use Docker Scout in [Docker Desktop](#docker-desktop), [Docker Hub](#docker-hub), the [Docker CLI](#docker-scout-cli),
and in the [Docker Scout Dashboard](./dashboard.md). Docker Scout also supports integrations with third-party systems,
refer to [Integrating Docker Scout](./integrations/index.md) for more information.
You can use Docker Scout in Docker Desktop, Docker Hub, the Docker CLI, and in
the [Docker Scout Dashboard](./dashboard.md). Docker Scout also supports
integrations with third-party systems, refer to [Integrating Docker
Scout](./integrations/index.md) for more information.
{{< include "scout-plans.md" >}}
## Quickstart
_The following video shows an end-to-end workflow of using Docker Scout to remediate a reported vulnerability_.
<div style="position: relative; padding-bottom: 64.86486486486486%; height: 0;"><iframe src="https://www.loom.com/embed/e066986569924555a2546139f5f61349?sid=6e29be62-78ba-4aa7-a1f6-15f96c37d916" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen style="position: absolute; top: 0; left: 0; width: 100%; height: 100%;"></iframe></div>
> **Quickstart with Docker Scout**
>
> For a self-guided quickstart that shows you how to use Docker Scout to identify and remediate vulnerabilities in your images, read the [quickstart](./quickstart.md).
{ .tip }
## Enabling Docker Scout
_The following video shows how to enable Docker Scout on your repositories_.
<div style="position: relative; padding-bottom: 64.86486486486486%; height: 0;"><iframe src="https://www.loom.com/embed/a6fb14ede0a94d0d984edf6cf16604e0?sid=ba34f694-32a6-4b74-b3f8-9cc6b80ef66f" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen style="position: absolute; top: 0; left: 0; width: 100%; height: 100%;"></iframe></div>
### Docker Desktop
> **Note**
>
> There is a 3 GB size limit on images analyzed by Docker Scout in Docker Desktop.
Docker Scout analyzes all images stored locally in Docker Desktop, providing you
with up-to-date vulnerability information as you build your images.
For more information, read the [Advanced image analysis guide](./advanced-image-analysis.md).
### Docker Hub
If you enable [Advanced image analysis](./advanced-image-analysis.md) for a
repository in Docker Hub, Docker Scout analyzes your images every time you push
them to Docker Hub. Docker Scout shows analysis results on every tag view for
that repository.
The analysis updates continuously, meaning that the vulnerability report for an
image is always up to date as Docker Scout becomes aware of new CVEs. No need to
re-analyze an image.
For more information, read the [Advanced image analysis guide](./advanced-image-analysis.md).
### Docker Scout CLI plugin {#docker-scout-cli}
The `docker scout` CLI plugin provides a terminal interface for using Docker
Scout with local and remote images.
Using the CLI, you can analyze images and view the analysis report in text
format. You can print the results directly to stdout, or export them to a file
using a structured format, such as Static Analysis Results Interchange Format
(SARIF).
For more information about how to use the `docker scout` CLI, see the
[reference documentation](../engine/reference/commandline/scout.md).
The plugin is available in Docker Desktop starting with version 4.17 and
available as a standalone binary.
To install the plugin, run the following command:
```console
$ curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
$ sh install-scout.sh
```
> **Note**
>
> Always examine scripts downloaded from the internet before running them locally.
> Before installing, make yourself familiar with potential risks and limitations
> of the convenience script.
If you want to install the plugin manually, you can find full instructions in
the [plugin's repository](https://github.com/docker/scout-cli).
The plugin is also available as [a container image](https://hub.docker.com/r/docker/scout-cli)
and as [a GitHub action](https://github.com/docker/scout-action).
### Docker Scout Dashboard
The [Docker Scout Dashboard](https://scout.docker.com)
helps you share the analysis and security status of images in
an organization with your team. You can also use the dashboard settings to enable
Docker Scout on multiple images from Docker Hub at once.
For more information, read the [Docker Scout Dashboard guide](./dashboard.md).
{{< grid >}}

116
content/scout/advanced-image-analysis.md
View File

@ -1,116 +0,0 @@
---
description: Advanced image analysis is a Docker Scout feature for Docker Hub
keywords: scanning, vulnerabilities, Hub, supply chain, security
title: Advanced image analysis
---
{{< include "scout-early-access.md" >}}
Advanced image analysis is a Docker Scout feature for Docker Hub.
When you activate Advanced image analysis for a repository, Scout analyzes new tags
automatically when you push to that repository. Advanced image analysis
is more than point-in-time scanning, the analysis gets reevaluated
continuously, meaning you don't need to re-scan the image to see an updated
vulnerability report.
The **General** tab of an image page on Docker Hub shows a summary of common vulnerabilities and
exposures (CVEs) for the image in the **Tags** section. The **Tags** tab shows all analysis results.
The **Images** section of Docker Desktop shows an overview of CVEs for an image and the details view shows all vulnerabilities.
## Activate Advanced image analysis
Advanced image analysis is an early access feature and activated on a
per-repository basis for organizations with a
[Docker Pro, Team, or Business subscription](../subscription/index.md).
> **Note**
>
> Only repository owners and administrators can activate Advanced image analysis
> on a repository.
To activate Advanced image analysis:
1. Log into your Docker Hub account.
2. Click **Repositories** from the main menu and select a repository from the
list.
3. Go to the **Settings** tab
4. Under **Image insight settings**, select **Advanced image analysis provided
by Docker Scout**.
5. Select **Save**.
> **Tip**
>
> You can enable Advanced image analysis on repositories in bulk from
> the [Docker Scout Dashboard settings](./dashboard.md#repository-settings).
{ .tip }
## Analyze an image
To trigger Advanced image analysis, push an image to a Docker Hub repository
with Advanced image analysis active:
1. Sign in with your Docker ID, either using the `docker login` command or the
**Sign in** button in Docker Desktop.
2. Tag the image to analyze. For example, to tag a Redis image, run:
```console
$ docker tag redis <org>/<imagename>:latest
```
3. Push the image to Docker Hub to trigger analysis of the image:
```console
$ docker push <org>/<imagename>:latest
```
## View the vulnerability report
To view the vulnerability report on Docker Hub:
1. Go to Docker Hub and open the repository page. The **Tags** section
displays a vulnerability summary.
It may take a few minutes for the vulnerability report to appear. If your vulnerability summary doesn't display, wait a moment
and then refresh the page.
2. Click on the tag in the table. This opens the details page for the tag.
3. Select the **Vulnerabilities** tab on the right side of the page.
This tab displays a deep-dive view of the image's packages and any known vulnerabilities.
For more information about how to interpret the vulnerability report, see
[Image details view](./image-details-view.md).
Expanding any of the packages in the list shows you more information about the
vulnerabilities that affect a given package. Expanding the vulnerability shows a summary of it's details and
selecting the vulnerability name opens Docker's image vulnerability database, which provides
more information on the vulnerability and what images it affects.
## Deactivate Advanced image analysis
> **Note**
>
> Only repository owners and administrators can deactivate Advanced image
> analysis on a repository.
To deactivate Advanced image analysis:
1. Go to Docker Hub and sign in.
2. Select **Repositories** from the main menu and select a repository from the
list.
3. Go to the **Settings** tab.
4. Under **Image insight settings**, select one of the following options:
- **Basic Hub vulnerability scanning** to use the basic scanning feature.
- **None** to turn off vulnerability detection.
5. Select **Save**.
## Feedback
Thank you for trying out the Advanced image analysis feature. Give feedback or
report any bugs you may find through the issues tracker on the
[hub-feedback](https://github.com/docker/hub-feedback/issues) GitHub repository.

15
content/scout/advisory-db-sources.md
View File

@ -1,8 +1,8 @@
---
description: More details on the Advisory Database and CVE-to-package matching service
description: More details on the advisory database and CVE-to-package matching service
behind Docker Scout analysis.
keywords: scanning, analysis, vulnerabilities, Hub, supply chain, security
title: Advisory Database sources and matching service
title: Advisory database sources and matching service
---
{{< include "scout-early-access.md" >}}
@ -16,10 +16,9 @@ artifacts. This can lead to differing results between tools.
To help you understand why different tools can provide different results when
assessing software for vulnerabilities, this page explains how the Docker Scout
Advisory Database vulnerability database and CVE-to-package matching service
works.
advisory database and CVE-to-package matching service works.
## Docker Scouts Advisory Database sources
## Docker Scouts advisory database sources
Docker Scout creates and maintains its vulnerability database by ingesting and
collating vulnerability data from multiple sources continuously. These
@ -60,7 +59,7 @@ it can identify the artifact thats now vulnerable, why, and where its in u
When a customer enrolls with Docker Scout, the organization receives their own
instance of the database. This database tracks timestamped metadata about your
images that Docker Scout can then match to CVEs. Find more details on how this
works in the [Advanced image analysis document](./advanced-image-analysis.md).
works in the [image analysis page](./image-analysis.md).
Docker Scout is ideal for analyzing images in Docker Desktop and Docker Hub, but
the flexibility of the approach also means it can integrate with other systems,
@ -103,7 +102,7 @@ system versions to make more precise matches.
In summary, Docker Scouts technique improves matching accuracy and reduces the
number of results that turn out to be false-positives.
## Package ecosystems supported by the Docker Scout Advisory Database
## Package ecosystems supported by Docker Scout
By sourcing vulnerability data from the providers above, Docker Scout is able to support analyzing the following package ecosystems:
@ -118,4 +117,4 @@ By sourcing vulnerability data from the providers above, Docker Scout is able to
- Ruby
- `alpm` (Arch Linux)
- `apk` (Alpine Linux)
- `deb` (Debian Linux and derivatives)
- `deb` (Debian Linux and derivatives)

12
content/scout/artifactory.md
View File

@ -1,12 +1,6 @@
---
description: 'Integrate JFrog Artifactory and JFrog Container Registry with Docker
Scout
'
keywords: 'docker scout, jfrog, artifactory, jcr, integration, image analysis, security,
cves
'
description: Integrate JFrog Artifactory and JFrog Container Registry with Docker Scout
keywords: docker scout, jfrog, artifactory, jcr, integration, image analysis, security, cves
title: Artifactory integration
---
@ -198,4 +192,4 @@ You can view the image analysis results in the Docker Scout Dashboard.
When you have selected a tag, you're taken to the vulnerability report for that
tag. Here, you can select if you want to view all vulnerabilities in the image,
or vulnerabilities introduced in a specific layer. You can also filter
vulnerabilities by severity, and whether or not there's a fix version available.
vulnerabilities by severity, and whether or not there's a fix version available.

4
content/scout/dashboard.md
View File

@ -27,7 +27,7 @@ Select the checkboxes for the repositories on which you want to enable Docker Sc
select **Enable image analysis**.
When you enable image analysis for a repository, Docker Scout analyzes new tags
automatically when you push to that repository. Find out more in the [Advanced image analysis](./advanced-image-analysis.md) documentation.
automatically when you push to that repository. Find out more in the [image analysis](./image-analysis.md) documentation.
Disable Docker Scout analysis on selected repositories by selecting **Disable image analysis**.
@ -171,4 +171,4 @@ Following this information is a list of all repositories affected by the vulnera
- The current tag version of the image. Selecting the link for the tag name opens [the repository tag list layer view](#image-layer-view).
- The date the image was last pushed.
- The registry where the image is stored.
- The affected package name and version in the image.
- The affected package name and version in the image.

210
content/scout/image-analysis.md Normal file
View File

@ -0,0 +1,210 @@
---
title: Docker Scout image analysis
description:
Docker Scout image analysis provides a detailed view into the composition of
your images and the vulnerabilities that they contain
keywords: scanning, vulnerabilities, supply chain, security, analysis
aliases:
- /scout/advanced-image-analysis/
---
{{< include "scout-early-access.md" >}}
When you activate image analysis for a repository, Docker Scout analyzes new
images automatically when you push to that repository. Docker Scout image
analysis is more than point-in-time scanning, the analysis gets reevaluated
continuously, meaning you don't need to re-scan the image to see an updated
vulnerability report.
Docker Scout image analysis is available by default for Docker Hub
repositories. You can also integrate third-party registries, such as Amazon ECR
and JFrog Artifactory, and even run image analysis locally on your development
machine.
The following video shows how to activate Docker Scout image analysis on your
repositories.
<iframe class="border-0 w-full aspect-video mb-8" allow="fullscreen" src="https://www.loom.com/embed/a6fb14ede0a94d0d984edf6cf16604e0?sid=ba34f694-32a6-4b74-b3f8-9cc6b80ef66f"></iframe>
## Activate image analysis
The free tier of Docker Scout lets you use Docker Scout for up to 3
repositories per Docker organization. You can update your Docker Scout plan if
you need additional repositories, see [Docker Scout
billing](../billing/scout-billing.md).
> **Note**
>
> You must have the **Editor** or **Owner** role in the Docker organization to
> activate image analysis on a repository.
To activate image analysis:
1. Go to the [Docker Scout Dashboard](https://scout.docker.com/)
2. Sign in with your Docker ID.
3. Make sure that the correct Docker organization is selected.
4. Open the settings menu and select **Repository settings**.
5. Select the repositories that you want to enable.
6. Select **Enable image analysis**.
## Analyze registry images
To trigger image analysis for an image in a registry, push the image to a registry that's
integrated with Docker Scout, to a repository where image analysis is
activated.
Prerequisites:
- The registry must be integrated with Docker Scout. Docker Hub is integrated
by default.
- You must [activate Docker Scout](#activate-image-analysis) for the
repository, before pushing the image.
1. Sign in with your Docker ID, either using the `docker login` command or the
**Sign in** button in Docker Desktop.
2. Build and tag the image that you want to analyze.
```console
$ docker build --tag <org>/<image>:latest --provenance=true --sbom=true .
```
> **Note**
>
> Building with the `--provenance=true` and `--sbom=true` flags attach
> [build attestations](../build/attestations/_index.md) to the image, which
> yields more precise analysis results.
3. Push the image to Docker Hub to trigger analysis of the image:
```console
$ docker push <org>/<imagename>:latest
```
4. Go to the [Docker Scout Dashboard](https://scout.docker.com/)
5. Sign in with your Docker ID.
6. Select the Docker organization that contains the image you just pushed.
7. Go to the **Images** tab. The image appears in the list shortly after you
push it to the registry.
It may take a few minutes for the analysis report to appear. If the analysis
report is not available, wait a moment and then refresh the page.
## Analyze images locally
You can analyze local images with Docker Scout using Docker Desktop or the
`docker scout quickview` and `docker scout cves` commands for the Docker CLI.
### Docker Desktop
> **Note**
>
> There is a 3 GB size limit on images analyzed by Docker Scout in Docker
> Desktop.
To analyze an image locally using the Docker Desktop GUI:
1. Pull or build the image that you want to analyze.
2. Go to the **Images** view in the Docker Dashboard.
3. Select one of your local images in the list.
This opens the [Image details view](./image-details-view.md), showing a
breakdown of packages and vulnerabilities found by the Docker Scout analysis
for the image you selected.
### CLI
The `docker scout` CLI commands provide a terminal interface for using Docker
Scout with local and remote images.
Using the `docker scout quickview` and `docker scout cves` CLI commands, you
can analyze images locally and view the analysis report in text format. You can
print the results directly to stdout, or export them to a file using a
structured format, such as Static Analysis Results Interchange Format (SARIF).
#### Install
The Docker Scout CLI plugin is available in Docker Desktop starting with
version 4.17 and available as a standalone binary.
To install the latest version of the plugin manually, run the following
commands:
```console
$ curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
$ sh install-scout.sh
```
> **Note**
>
> Always examine scripts downloaded from the internet before running them
> locally. Before installing, make yourself familiar with potential risks and
> limitations of the convenience script.
If you want to install the plugin manually, you can find full instructions in
the [plugin's repository](https://github.com/docker/scout-cli).
The plugin is also available as [a container image](https://hub.docker.com/r/docker/scout-cli)
and as [a GitHub action](https://github.com/docker/scout-action).
#### Quickview
The `docker scout quickview` command provides an overview of the
vulnerabilities found in a given image and its base image.
```console
$ docker scout quickview traefik:latest
✓ SBOM of image already cached, 311 packages indexed
Your image traefik:latest │ 0C 2H 8M 1L
Base image alpine:3 │ 0C 0H 0M 0L
```
If your the base image is out of date, the `quickview` command also shows how
updating your base image would change the vulnerability exposure of your image.
```console
$ docker scout quickview postgres:13.1
✓ Pulled
✓ Image stored for indexing
✓ Indexed 187 packages
Your image postgres:13.1 │ 17C 32H 35M 33L
Base image debian:buster-slim │ 9C 14H 9M 23L
Refreshed base image debian:buster-slim │ 0C 1H 6M 29L
│ -9 -13 -3 +6
Updated base image debian:stable-slim │ 0C 0H 0M 17L
│ -9 -14 -9 -6
```
#### CVEs
The `docker scout cves` command gives you a complete view of all the
vulnerabilities in the image. This command supports several flags that lets you
specify more precisely which vulnerabilities you're interested in, for example,
by severity or package type:
```console
$ docker scout cves --format only-packages --only-vuln-packages \
--only-severity critical postgres:13.1
✓ SBOM of image already cached, 187 packages indexed
✗ Detected 10 vulnerable packages with a total of 17 vulnerabilities
Name Version Type Vulnerabilities
───────────────────────────────────────────────────────────────────────────
dpkg 1.19.7 deb 1C 0H 0M 0L
glibc 2.28-10 deb 4C 0H 0M 0L
gnutls28 3.6.7-4+deb10u6 deb 2C 0H 0M 0L
libbsd 0.9.1-2 deb 1C 0H 0M 0L
libksba 1.3.5-2 deb 2C 0H 0M 0L
libtasn1-6 4.13-3 deb 1C 0H 0M 0L
lz4 1.8.3-1 deb 1C 0H 0M 0L
openldap 2.4.47+dfsg-3+deb10u5 deb 1C 0H 0M 0L
openssl 1.1.1d-0+deb10u4 deb 3C 0H 0M 0L
zlib 1:1.2.11.dfsg-1 deb 1C 0H 0M 0L
```
For more information about these commands and how to use them, refer to the CLI
reference documentation:
- [`docker scout quickview`](../engine/reference/commandline/scout_quickview.md)
- [`docker scout cves`](../engine/reference/commandline/scout_cves.md)

10
content/scout/policy.md
View File

@ -29,11 +29,11 @@ with established best practices.
## How it works
When you activate Docker Scout for a repository, images that you push are
[automatically analyzed](../advanced-image-analysis.md). The analysis gives you
insights about the composition of your images, including what packages they
contain, and what vulnerabilities they're exposed to. Policy Evaluation builds
on top of the image analysis feature, interpreting the analysis results against
the rules defined by policies.
[automatically analyzed](./image-analysis.md). The analysis gives you insights
about the composition of your images, including what packages they contain and
what vulnerabilities they're exposed to. Policy Evaluation builds on top of the
image analysis feature, interpreting the analysis results against the rules
defined by policies.
A policy defines one or more criteria that your artifacts should fulfill. For
example, one of the default policies in Docker Scout is the **Critical

35
content/scout/quickstart.md
View File

@ -1,12 +1,9 @@
---
title: Docker Scout quickstart
keywords: scout, supply chain, vulnerabilities, packages, cves, scan, analysis, analyze
description: 'Learn how to get started with Docker Scout to analyze images and fix
vulnerabilities
'
description: Learn how to get started with Docker Scout to analyze images and fix vulnerabilities
aliases:
- /atomist/get-started/
- /atomist/get-started/
---
{{< include "scout-early-access.md" >}}
@ -19,7 +16,11 @@ This guide takes a vulnerable container image and shows you how to use Docker
Scout to identify and fix the vulnerabilities, compare image versions over time,
and share the results with your team.
## Setup
The following video shows an end-to-end workflow of using Docker Scout to remediate a reported vulnerability.
<iframe class="border-0 w-full aspect-video mb-8" allow="fullscreen" src="https://www.loom.com/embed/e066986569924555a2546139f5f61349?sid=6e29be62-78ba-4aa7-a1f6-15f96c37d916"></iframe>
## Step 1: Setup
[This example project](https://github.com/docker/scout-demo-service) contains
a vulnerable Node.js application that you can use to follow along.
@ -54,21 +55,23 @@ a vulnerable Node.js application that you can use to follow along.
> Make sure you log in to the Docker CLI or Docker Desktop before pushing.
{ .important }
## Enable Docker Scout
## Step 2: Enable Docker Scout
Docker Scout analyzes all local images by default. To analyze images in
remote repositories, you need to enable it first.
You can do this from Docker Hub, the Docker Scout Dashboard, and CLI.
[Find out how in the overview guide](/scout).
1. Use the Docker CLI [`docker scout repo enable`](/engine/reference/commandline/scout_repo_enable)
command to enable analysis on an existing repository with the following command:
1. Sign in to your Docker account with the `docker login` command or use the
**Sign in** button in Docker Desktop.
2. Use the Docker CLI [`docker scout repo enable`](/engine/reference/commandline/scout_repo_enable)
command to enable analysis on an existing repository:
```console
$ docker scout repo enable <org-name>/scout-demo
```
## Analyze image vulnerabilities
## Step 3: Analyze image vulnerabilities
After building, you can use Docker Desktop or the `docker scout` CLI command
to see vulnerabilities detected by Docker Scout.
@ -93,14 +96,14 @@ to see vulnerabilities detected by Docker Scout.
Docker Scout creates and maintains its vulnerability database by ingesting and
collating vulnerability data from multiple sources continuously. These sources
include many recognizable package repositories and trusted security trackers.
You can find more details in the [Advisory Database sources](./advisory-db-sources.md) document.
You can find more details in the [advisory database](./advisory-db-sources.md) documentation.
> **Tip**
>
> Find out how to filter results using the CLI command [`scout cves`](/engine/reference/commandline/scout_cves).
{ .tip }
## Fix application vulnerabilities
## Step 4: Fix application vulnerabilities
The fix suggested by Docker Scout is to update
the underlying vulnerable express version to 4.17.3 or later.
@ -130,7 +133,7 @@ the underlying vulnerable express version to 4.17.3 or later.
Now, viewing the latest tag of the image in Docker Desktop, the Docker Scout
Dashboard, or CLI, you can see that you have fixed the vulnerability.
## Fix vulnerabilities in base images
## Step 5: Fix vulnerabilities in base images
In addition to identifying application
vulnerabilities, Docker Scout also helps you identify and fix issues with the
@ -164,7 +167,7 @@ base images your images use.
$ docker scout cves <org-name>/scout-demo:v3
```
## Collaborate on vulnerabilities
## Step 6: Collaborate on vulnerabilities
You can see and share the same vulnerability information about an image and
the other images in your organization in the [Docker Scout Dashboard](./dashboard.md).
@ -185,7 +188,7 @@ security, compliance, and operations to know what vulnerabilities and issues to
> ![Screenshot showing organization picker in the Docker Scout dashboard](./images/scout-onboarding-org-picker.png)
{ .tip }
## Comparing image tags
## Step 7: Compare images
Over time as you build and push new tags of images, you can use the Docker Scout
CLI and Dashboard to compare the changes to vulnerabilities and packages in
@ -217,4 +220,4 @@ different tags of the same image.
- Explore the [Docker Scout Dashboard](/scout/dashboard) to see how you can
collaborate with your team on vulnerabilities.
- [Learn how to integrate Docker Scout with other systems](./integrations/index.md).
- [Find out where Docker Scout gets its vulnerability data](/scout/advisory-db-sources).
- [Find out where Docker Scout gets its vulnerability data](/scout/advisory-db-sources).

102
content/scout/web-app.md
View File

@ -1,102 +0,0 @@
---
description: The Docker Scout Dashboard helps review and share the analysis of images.
keywords: scanning, analysis, vulnerabilities, Hub, supply chain, security, report,
reports, dashboard
title: Dashboard
aliases:
- /scout/reports/
- /scout/web-app/
---
{{< include "scout-early-access.md" >}}
The Docker Scout Dashboard helps you share the analysis of images in an organization with your team. Developers can now see an overview of their security status across all their images from both Docker Hub and Artifactory, and get remediation advice at their fingertips. It helps team members in roles such as security, compliance, and operations to know what vulnerabilities and issues they need to focus on.
## Overview
![A screenshot of the Docker Scout vulnerabilities overview](./images/dashboard-overview.png)
The **Overview** tab shows the total number of vulnerabilities across all your Scout-enabled repositories, over time. This calculation takes the most recent image in each repository to avoid including old irrelevant images.
## Images
![A screenshot of the Docker Scout images list for an organization](./images/dashboard-images.png)
The **Images** tab shows a list of images in an organization. You can search for specific repositories using the search box.
Each entry in the list shows the following details:
- The repository name for the image. Clicking the link for the repository opens the list of tags for the repository.
- The most recent version of the image and the vulnerabilities for that version. Clicking the link for the base image opens [the image layer view](#image-layer-view).
- The operating system and architecture of the image.
- The base image and version used by the repository and the vulnerabilities for that version. Clicking the link for the base image opens [the image layer view](#image-layer-view).
- The recommended fixes, which can include options such as changing tags or rebuilding an image.
- The predicted improvement to the vulnerabilities if you apply the recommended fixes.
- An action button to show implementable recommended fixes.
![Screenshot of recommended fixes for an image](./images/dashboard-suggested-fix.png)
### Repository tag list
The repository tag list shows all tags for a repository. You can search for specific tag versions using the search box.
Each entry in the list shows the following details:
- The tag version. Clicking the link for version opens [the image layer view](#image-layer-view).
- The operating system and architecture of the image.
- The vulnerabilities for the tag version.
- The last push for the tag version.
- The base image and version used by the repository and the vulnerabilities for
that version.
### Image layer view
The image layer view shows a breakdown of the Docker Scout analysis, including
an overview of the digest Secure Hash Algorithms (SHA), version, the image hierarchy (base images), image
layers, packages, and vulnerabilities.
![Screenshot showing Docker Scout image hierarchy](./images/dashboard-hierachy.png)
> **Note**
>
> You can find more details on the elements in the image layer view in [the image details view docs](./image-details-view.md).
Click the **View recommended fixes** button to see instructions to apply the recommended fixes for the image.
![Screenshot of recommended fixes for an image](./images/dashboard-suggested-fix.png)
## Packages and dependencies
![A screenshot of the Docker Scout packages and dependencies list](./images/dashboard-pandd.png)
The **Packages and dependencies** tab shows all packages and base images part of your images in an organization. You can sort the list by package name.
Each entry in the list shows the following details:
- The package name.
- The package type.
- The license(s) used by the package.
- The versions of the package used by images in the organization.
- The package type.
- The number of images that use the package.
## Vulnerabilities
![Screenshot showing Docker Scout Vulnerabilities list](./images/dashboard-vulns.png)
The **Vulnerabilities** tab shows a list of all vulnerabilities from images in the organization. You can sort the list by severity and search for Common Vulnerabilities and Exposures (CVE) ID using the search box.
Each entry in the list shows the following details:
- Severity of the vulnerability.
> **Note**
>
> Docker Scout bases the calculation behind this severity level on a variety
> of sources.
- The vulnerability CVE ID.
- The package name and version affected by this CVE.
- The Common Vulnerability Scoring System (CVSS) score for the vulnerability. Docker Scout shows the highest CVSS score from multiple sources.
- The number of images in the organization that use the package affected by this CVE.
- If Docker Scout knows of a fix for the vulnerability, and if so, the package version of the fix.

6
data/toc.yaml
View File

@ -1901,12 +1901,12 @@ Manuals:
title: Quickstart
- path: /scout/image-details-view/
title: Image details view
- path: /scout/advanced-image-analysis/
title: Advanced image analysis
- path: /scout/image-analysis/
title: Image analysis
- path: /scout/dashboard/
title: Dashboard
- path: /scout/advisory-db-sources/
title: Advisory Database
title: Advisory database
- path: /scout/data-handling/
title: Data handling
- path: /scout/policy/

7
layouts/partials/components/badge.html
View File

@ -1,12 +1,15 @@
{{ $colors := (dict
{{- $colors := (dict
"amber" "bg-amber-light dark:bg-amber-dark"
"blue" "bg-blue-light dark:bg-blue-dark"
"green" "bg-green-light dark:bg-green-dark"
"red" "bg-red-light dark:bg-red-dark"
"violet" "bg-violet-light dark:bg-violet-dark"
)
}}
-}}
{{- if not (isset $colors .color) -}}
{{- errorf "[badge] wrong color name: '%s' - supported values: amber, blue, green, red, violet" .color -}}h
{{- end -}}
<span
class="not-prose px-1 rounded-sm {{ index $colors .color }} text-white text-xs"

4
layouts/partials/components/card.html
View File

@ -16,8 +16,8 @@
>
{{ end }}
<div>
<div class="text-xl text-gray-light-800 leading-snug dark:text-white">
{{ .title }}
<div class="text-xl text-gray-light-800 leading-snug dark:text-white flex items-center gap-2">
{{ markdownify .title }}
</div>
</div>
</div>

2
tailwind.config.js
View File

@ -1,6 +1,6 @@
/** @type {import('tailwindcss').Config} */
module.exports = {
content: ["./hugo_stats.json","./layouts/**/*.{html,js}"],
content: ["./hugo_stats.json","./layouts/**/*.{html,js}", "./content/**/*.md"],
darkMode: "class",
theme: {
extend: {