diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md index 40287558bd..e3b63c31b2 100644 --- a/content/scout/policy/_index.md +++ b/content/scout/policy/_index.md @@ -59,9 +59,7 @@ Docker Scout ships the following out-of-the-box policies: - [Outdated base images](#outdated-base-images) - [High-profile vulnerabilities](#high-profile-vulnerabilities) - [Supply chain attestations](#supply-chain-attestations) -- [Quality gates passed](#quality-gates-passed) - [Default non-root user](#default-non-root-user) -- [Unapproved base images](#unapproved-base-images) To give you a head start, Scout enables several policies by default for your Scout-enabled repositories. You can customize the default configurations to @@ -69,6 +67,9 @@ reflect internal requirements and standards. You can also disable a policy altogether if it isn't relevant to you. For more information, see [Configure policies](./configure.md). +There's also a set of [additional policies](#additional-policies) that can be +optionally enabled for repositories. + ### Fixable critical and high vulnerabilities The **Fixable critical and high vulnerabilities** policy requires that your @@ -158,38 +159,6 @@ For more information about building with attestations, see [Attestations](../../build/attestations/_index.md). -### Quality gates passed - -The Quality gates passed policy builds on the [SonarQube -integration](../integrations/code-quality/sonarqube.md) to assess the quality -of your source code. This policy works by ingesting the SonarQube code analysis -results into Docker Scout. - -You define the criteria for this policy using SonarQube's [quality -gates](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/). -SonarQube evaluates your source code against the quality gates you've defined -in SonarQube. Docker Scout surfaces the SonarQube assessment as a Docker Scout -policy. - -Docker Scout uses [provenance](../../build/attestations/slsa-provenance.md) -attestations or the `org.opencontainers.image.revision` OCI annotation to link -SonarQube analysis results with container images. In addition to enabling the -SonarQube integration, you must also make sure that your images has either the -attestation or the label. - -![Git commit SHA links image with SonarQube analysis](../images/scout-sq-commit-sha.webp) - -Once you push an image and policy evaluation completes, the results from the -SonarQube quality gates display as a policy in the Docker Scout Dashboard, and -in the CLI. - -> **Note** -> -> Docker Scout can only access SonarQube analyses created after the integration -> is enabled. Docker Scout doesn't have access to historic evaluations. Trigger -> a SonarQube analysis and policy evaluation after enabling the integration to -> view the results in Docker Scout. - ### Default non-root user By default, containers run as the `root` superuser with full system @@ -209,6 +178,7 @@ policy violations caused by images where the `root` user is implicit, and images where `root` is set on purpose. The following Dockerfile runs as `root` by default despite not being explicitly set: + ```Dockerfile FROM alpine RUN echo "Hi" @@ -266,6 +236,16 @@ ENTRYPOINT ["/app/production"] {{< /tab >}} {{< /tabs >}} +## Additional policies + +In addition to the [out-of-the-box policies](#out-of-the-box-policies) enabled +by default, Docker Scout supports the following optional policies. Before you +can enable these policies, you need to either configure the policies, or +configure the integration that the policy requires. + +- [Unapproved base images](#unapproved-base-images) +- [Quality gates passed](#quality-gates-passed) + ### Unapproved base images The **Unapproved base images** policy lets you restrict which base @@ -317,6 +297,38 @@ This policy isn't enabled by default. To enable the policy: Your images need provenance attestations for this policy to successfully evaluate. For more information, see [No base image data](#no-base-image-data). +### Quality gates passed + +The Quality gates passed policy builds on the [SonarQube +integration](../integrations/code-quality/sonarqube.md) to assess the quality +of your source code. This policy works by ingesting the SonarQube code analysis +results into Docker Scout. + +You define the criteria for this policy using SonarQube's [quality +gates](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/). +SonarQube evaluates your source code against the quality gates you've defined +in SonarQube. Docker Scout surfaces the SonarQube assessment as a Docker Scout +policy. + +Docker Scout uses [provenance](../../build/attestations/slsa-provenance.md) +attestations or the `org.opencontainers.image.revision` OCI annotation to link +SonarQube analysis results with container images. In addition to enabling the +SonarQube integration, you must also make sure that your images have either the +attestation or the label. + +![Git commit SHA links image with SonarQube analysis](../images/scout-sq-commit-sha.webp) + +Once you push an image and policy evaluation completes, the results from the +SonarQube quality gates display as a policy in the Docker Scout Dashboard, and +in the CLI. + +> **Note** +> +> Docker Scout can only access SonarQube analyses created after the integration +> is enabled. Docker Scout doesn't have access to historic evaluations. Trigger +> a SonarQube analysis and policy evaluation after enabling the integration to +> view the results in Docker Scout. + ## No base image data There are cases when it's not possible to determine information about the base