docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

scout: update out-of-the-box policy definition 

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
This commit is contained in:
David Karlsson 2024-05-27 10:01:21 +02:00
parent e08d1e77a7
commit 8d56e12bc0
1 changed files with 46 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
content/scout/policy/_index.md
View File

@ -59,9 +59,7 @@ Docker Scout ships the following out-of-the-box policies:
- [Outdated base images](#outdated-base-images)
- [High-profile vulnerabilities](#high-profile-vulnerabilities)
- [Supply chain attestations](#supply-chain-attestations)
- [Quality gates passed](#quality-gates-passed)
- [Default non-root user](#default-non-root-user)
- [Unapproved base images](#unapproved-base-images)
To give you a head start, Scout enables several policies by default for your
Scout-enabled repositories. You can customize the default configurations to
@ -69,6 +67,9 @@ reflect internal requirements and standards. You can also disable a policy
altogether if it isn't relevant to you. For more information, see [Configure
policies](./configure.md).
There's also a set of [additional policies](#additional-policies) that can be
optionally enabled for repositories.
### Fixable critical and high vulnerabilities
The **Fixable critical and high vulnerabilities** policy requires that your
@ -158,38 +159,6 @@ For more information about
building with attestations, see
[Attestations](../../build/attestations/_index.md).
### Quality gates passed
The Quality gates passed policy builds on the [SonarQube
integration](../integrations/code-quality/sonarqube.md) to assess the quality
of your source code. This policy works by ingesting the SonarQube code analysis
results into Docker Scout.
You define the criteria for this policy using SonarQube's [quality
gates](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/).
SonarQube evaluates your source code against the quality gates you've defined
in SonarQube. Docker Scout surfaces the SonarQube assessment as a Docker Scout
policy.
Docker Scout uses [provenance](../../build/attestations/slsa-provenance.md)
attestations or the `org.opencontainers.image.revision` OCI annotation to link
SonarQube analysis results with container images. In addition to enabling the
SonarQube integration, you must also make sure that your images has either the
attestation or the label.
![Git commit SHA links image with SonarQube analysis](../images/scout-sq-commit-sha.webp)
Once you push an image and policy evaluation completes, the results from the
SonarQube quality gates display as a policy in the Docker Scout Dashboard, and
in the CLI.
> **Note**
>
> Docker Scout can only access SonarQube analyses created after the integration
> is enabled. Docker Scout doesn't have access to historic evaluations. Trigger
> a SonarQube analysis and policy evaluation after enabling the integration to
> view the results in Docker Scout.
### Default non-root user
By default, containers run as the `root` superuser with full system
@ -209,6 +178,7 @@ policy violations caused by images where the `root` user is implicit, and
images where `root` is set on purpose.
The following Dockerfile runs as `root` by default despite not being explicitly set:
```Dockerfile
FROM alpine
RUN echo "Hi"
@ -266,6 +236,16 @@ ENTRYPOINT ["/app/production"]
{{< /tab >}}
{{< /tabs >}}
## Additional policies
In addition to the [out-of-the-box policies](#out-of-the-box-policies) enabled
by default, Docker Scout supports the following optional policies. Before you
can enable these policies, you need to either configure the policies, or
configure the integration that the policy requires.
- [Unapproved base images](#unapproved-base-images)
- [Quality gates passed](#quality-gates-passed)
### Unapproved base images
The **Unapproved base images** policy lets you restrict which base
@ -317,6 +297,38 @@ This policy isn't enabled by default. To enable the policy:
Your images need provenance attestations for this policy to successfully
evaluate. For more information, see [No base image data](#no-base-image-data).
### Quality gates passed
The Quality gates passed policy builds on the [SonarQube
integration](../integrations/code-quality/sonarqube.md) to assess the quality
of your source code. This policy works by ingesting the SonarQube code analysis
results into Docker Scout.
You define the criteria for this policy using SonarQube's [quality
gates](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/).
SonarQube evaluates your source code against the quality gates you've defined
in SonarQube. Docker Scout surfaces the SonarQube assessment as a Docker Scout
policy.
Docker Scout uses [provenance](../../build/attestations/slsa-provenance.md)
attestations or the `org.opencontainers.image.revision` OCI annotation to link
SonarQube analysis results with container images. In addition to enabling the
SonarQube integration, you must also make sure that your images have either the
attestation or the label.
![Git commit SHA links image with SonarQube analysis](../images/scout-sq-commit-sha.webp)
Once you push an image and policy evaluation completes, the results from the
SonarQube quality gates display as a policy in the Docker Scout Dashboard, and
in the CLI.
> **Note**
>
> Docker Scout can only access SonarQube analyses created after the integration
> is enabled. Docker Scout doesn't have access to historic evaluations. Trigger
> a SonarQube analysis and policy evaluation after enabling the integration to
> view the results in Docker Scout.
## No base image data
There are cases when it's not possible to determine information about the base