mirror of https://github.com/docker/docs.git
scout: add faq about image analysis
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
This commit is contained in:
David Karlsson
parent
425db7cb39
commit
8c40cc29f2
|
|
@ -14,6 +14,8 @@ platform.
|
||||||
|
|
||||||
### Image metadata
|
### Image metadata
|
||||||
|
|
||||||
|
Docker Scout collects the following image metadata:
|
||||||
|
|
||||||
- Image creation timestamp
|
- Image creation timestamp
|
||||||
- Image digest
|
- Image digest
|
||||||
- Ports exposed by the image
|
- Ports exposed by the image
|
||||||
|
|
@ -24,8 +26,27 @@ platform.
|
||||||
- Operating system type and version
|
- Operating system type and version
|
||||||
- Registry URL and type
|
- Registry URL and type
|
||||||
|
|
||||||
|
Image digests are created for each layer of an image when the image is built
|
||||||
|
and pushed to a registry. They are SHA256 digests of the contents of a layer.
|
||||||
|
Docker Scout doesn't create the digests; they're read from the image manifest.
|
||||||
|
|
||||||
|
The digests are matched against your own private images and Docker's database
|
||||||
|
of public images to identify images that share the same layers. The image that
|
||||||
|
shares most of the layers is considered a base image match for the image that's
|
||||||
|
currently being analyzed.
|
||||||
|
|
||||||
### SBOM metadata
|
### SBOM metadata
|
||||||
|
|
||||||
|
SBOM metadata is used to match package types and versions with public
|
||||||
|
vulnerability data to infer whether a package is considered vulnerable.
|
||||||
|
When the Docker Scout platform receives information from its advisory database
|
||||||
|
about new CVEs (and other risks, such as leaked secrets), it "overlays" this
|
||||||
|
information on the SBOM. If there's a match, the results of the match are
|
||||||
|
displayed in the user interfaces where Docker Scout data is surfaced, such as
|
||||||
|
the Docker Scout Dashboard and in Docker Desktop.
|
||||||
|
|
||||||
|
Docker Scout collects the SBOM metadata:
|
||||||
|
|
||||||
- Package URLs (PURL)
|
- Package URLs (PURL)
|
||||||
- Package author and description
|
- Package author and description
|
||||||
- License IDs
|
- License IDs
|
||||||
|
|
@ -36,13 +57,10 @@ platform.
|
||||||
- The type of direct dependency
|
- The type of direct dependency
|
||||||
- Total package count
|
- Total package count
|
||||||
|
|
||||||
SBOM metadata is used to match package types and versions with public
|
The PURLs in Docker Scout follow the
|
||||||
vulnerability data to infer whether a package is considered vulnerable.
|
[purl-spec](https://github.com/package-url/purl-spec) specification. Package
|
||||||
When the Docker Scout platform receives information from its advisory database
|
information is derived from the contents of image, including OS-level programs
|
||||||
about new CVEs (and other risks, such as leaked secrets), it "overlays" this
|
and packages, and application-level packages such as maven, npm, and so on.
|
||||||
information on the SBOM. If there's a match, the results of the match are
|
|
||||||
displayed in the user interfaces where Docker Scout data is surfaced, such as
|
|
||||||
the Docker Scout Dashboard and in Docker Desktop.
|
|
||||||
|
|
||||||
### Environment metadata
|
### Environment metadata
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue