docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add release notes for docker scout v1.11.0 (#20416) 

* Update description of SSC attestations

* add release notes for docker scout v1.11.0

Signed-off-by: felipecruz91 <felipecruz91@hotmail.es>

* Fix version in header

Signed-off-by: felipecruz91 <felipecruz91@hotmail.es>

* Revert --provenance=mode=max change

Signed-off-by: felipecruz91 <felipecruz91@hotmail.es>

---------

Signed-off-by: felipecruz91 <felipecruz91@hotmail.es>
Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
This commit is contained in:
Felipe Cruz Martinez 2024-07-25 17:29:41 +02:00 committed by GitHub
parent 0025c66e24
commit ae25eb4b08
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 118 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml generated
View File

@ -144,6 +144,16 @@ options:
experimentalcli: false experimentalcli: false
kubernetes: false kubernetes: false
swarm: false swarm: false
- option: only-cisa-kev
value_type: bool
default_value: "false"
description: Filter to CVEs listed in the CISA KEV catalog
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: only-cve-id - option: only-cve-id
value_type: stringSlice value_type: stringSlice
default_value: '[]' default_value: '[]'

14
_vendor/github.com/docker/scout-cli/docs/docker_scout_push.yaml generated
View File

@ -1,5 +1,5 @@
command: docker scout push command: docker scout push
short: Push an image or image index to Docker Scout (experimental) short: Push an image or image index to Docker Scout
long: | long: |
The `docker scout push` command lets you push an image or analysis result to Docker Scout. The `docker scout push` command lets you push an image or analysis result to Docker Scout.
usage: docker scout push IMAGE usage: docker scout push IMAGE
@ -15,6 +15,16 @@ options:
experimentalcli: false experimentalcli: false
kubernetes: false kubernetes: false
swarm: false swarm: false
- option: dry-run
value_type: bool
default_value: "false"
description: Do not push the image but process it
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: org - option: org
value_type: string value_type: string
description: Namespace of the Docker organization to which image will be pushed description: Namespace of the Docker organization to which image will be pushed
@ -91,7 +101,7 @@ examples: |-
``` ```
deprecated: false deprecated: false
experimental: false experimental: false
experimentalcli: true experimentalcli: false
kubernetes: false kubernetes: false
swarm: false swarm: false

2
_vendor/github.com/docker/scout-cli/docs/scout.md generated
View File

@ -22,7 +22,7 @@ Command line tool for Docker Scout
| [`help`](scout_help.md) | Display information about the available commands | | [`help`](scout_help.md) | Display information about the available commands |
| [`integration`](scout_integration.md) | Commands to list, configure, and delete Docker Scout integrations | | [`integration`](scout_integration.md) | Commands to list, configure, and delete Docker Scout integrations |
| [`policy`](scout_policy.md) | Evaluate policies against an image and display the policy evaluation results (experimental) | | [`policy`](scout_policy.md) | Evaluate policies against an image and display the policy evaluation results (experimental) |
| [`push`](scout_push.md) | Push an image or image index to Docker Scout (experimental) | | [`push`](scout_push.md) | Push an image or image index to Docker Scout |
| [`quickview`](scout_quickview.md) | Quick overview of an image | | [`quickview`](scout_quickview.md) | Quick overview of an image |
| [`recommendations`](scout_recommendations.md) | Display available base image updates and remediation recommendations | | [`recommendations`](scout_recommendations.md) | Display available base image updates and remediation recommendations |
| [`repo`](scout_repo.md) | Commands to list, enable, and disable Docker Scout on repositories | | [`repo`](scout_repo.md) | Commands to list, enable, and disable Docker Scout on repositories |

1
_vendor/github.com/docker/scout-cli/docs/scout_cves.md generated
View File

@ -21,6 +21,7 @@ Display CVEs identified in a software artifact
| `--ignore-base` | | | Filter out CVEs introduced from base image | | `--ignore-base` | | | Filter out CVEs introduced from base image |
| `--locations` | | | Print package locations including file paths and layer diff_id | | `--locations` | | | Print package locations including file paths and layer diff_id |
| `--multi-stage` | | | Show packages from multi-stage Docker builds | | `--multi-stage` | | | Show packages from multi-stage Docker builds |
| `--only-cisa-kev` | | | Filter to CVEs listed in the CISA KEV catalog |
| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for | | `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for |
| `--only-fixed` | | | Filter to fixable CVEs | | `--only-fixed` | | | Filter to fixable CVEs |
| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by | | `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by |

3
_vendor/github.com/docker/scout-cli/docs/scout_push.md generated
View File

@ -1,13 +1,14 @@
# docker scout push # docker scout push
<!---MARKER_GEN_START--> <!---MARKER_GEN_START-->
Push an image or image index to Docker Scout (experimental) Push an image or image index to Docker Scout
### Options ### Options
| Name | Type | Default | Description | | Name | Type | Default | Description |
|:-----------------|:---------|:--------|:-------------------------------------------------------------------| |:-----------------|:---------|:--------|:-------------------------------------------------------------------|
| `--author` | `string` | | Name of the author of the image | | `--author` | `string` | | Name of the author of the image |
| `--dry-run` | | | Do not push the image but process it |
| `--org` | `string` | | Namespace of the Docker organization to which image will be pushed | | `--org` | `string` | | Namespace of the Docker organization to which image will be pushed |
| `-o`, `--output` | `string` | | Write the report to a file | | `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to be pushed | | `--platform` | `string` | | Platform of image to be pushed |

2
_vendor/modules.txt
View File

@ -3,4 +3,4 @@
# github.com/docker/buildx v0.16.2 # github.com/docker/buildx v0.16.2
# github.com/docker/cli v27.0.3+incompatible # github.com/docker/cli v27.0.3+incompatible
# github.com/docker/compose/v2 v2.29.1 # github.com/docker/compose/v2 v2.29.1
# github.com/docker/scout-cli v1.10.0 # github.com/docker/scout-cli v1.11.0

34
content/scout/policy/_index.md
View File

@ -159,13 +159,45 @@ For more information about
building with attestations, see building with attestations, see
[Attestations](../../build/attestations/_index.md). [Attestations](../../build/attestations/_index.md).
### Quality gates passed
The Quality gates passed policy builds on the [SonarQube
integration](../integrations/code-quality/sonarqube.md) to assess the quality
of your source code. This policy works by ingesting the SonarQube code analysis
results into Docker Scout.
You define the criteria for this policy using SonarQube's [quality
gates](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/).
SonarQube evaluates your source code against the quality gates you've defined
in SonarQube. Docker Scout surfaces the SonarQube assessment as a Docker Scout
policy.
Docker Scout uses [provenance](../../build/attestations/slsa-provenance.md)
attestations or the `org.opencontainers.image.revision` OCI annotation to link
SonarQube analysis results with container images. In addition to enabling the
SonarQube integration, you must also make sure that your images has either the
attestation or the label.
![Git commit SHA links image with SonarQube analysis](../images/scout-sq-commit-sha.webp)
Once you push an image and policy evaluation completes, the results from the
SonarQube quality gates display as a policy in the Docker Scout Dashboard, and
in the CLI.
> **Note**
>
> Docker Scout can only access SonarQube analyses created after the integration
> is enabled. Docker Scout doesn't have access to historic evaluations. Trigger
> a SonarQube analysis and policy evaluation after enabling the integration to
> view the results in Docker Scout.
### Default non-root user ### Default non-root user
By default, containers run as the `root` superuser with full system By default, containers run as the `root` superuser with full system
administration privileges inside the container, unless the Dockerfile specifies administration privileges inside the container, unless the Dockerfile specifies
a different default user. Running containers as a privileged user weakens their a different default user. Running containers as a privileged user weakens their
runtime security, as it means any code that runs in the container can perform runtime security, as it means any code that runs in the container can perform
administrative actions. administrative actions.
The **Default non-root user** policy detects images that are set to run as the The **Default non-root user** policy detects images that are set to run as the
default `root` user. To comply with this policy, images must specify a non-root default `root` user. To comply with this policy, images must specify a non-root

61
content/scout/release-notes/cli.md
View File

@ -8,6 +8,53 @@ This page contains information about the new features, improvements, known
issues, and bug fixes in the Docker Scout [CLI plugin](https://github.com/docker/scout-cli/) issues, and bug fixes in the Docker Scout [CLI plugin](https://github.com/docker/scout-cli/)
and the `docker/scout-action` [GitHub Action](https://github.com/docker/scout-action). and the `docker/scout-action` [GitHub Action](https://github.com/docker/scout-action).
## 1.11.0
{{< release-date date="2024-07-25" >}}
### New
- Filter CVEs listed in the CISA Known Exploited Vulnerabilities catalog.
```console {title="CLI"}
$ docker scout cves [IMAGE] --only-cisa-kev
... (cropped output) ...
## Packages and Vulnerabilities
0C 1H 0M 0L io.netty/netty-codec-http2 4.1.97.Final
pkg:maven/io.netty/netty-codec-http2@4.1.97.Final
✗ HIGH CVE-2023-44487 CISA KEV [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2023-44487
Affected range : <4.1.100
Fixed version : 4.1.100.Final
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
... (cropped output) ...
```
```yaml {title="GitHub Action"}
uses: docker/scout-action@v1
with:
command: cves
image: [IMAGE]
only-cisa-kev: true
```
- Add new classifiers:
- `spiped`
- `swift`
- `eclipse-mosquitto`
- `znc`
### Bug fixes and enhancements
- Allow VEX matching when no subcomponents.
- Fix panic when attaching an invalid VEX document.
- Fix SPDX document root.
- Fix base image detection when image uses SCRATCH as the base image.
## 1.10.0 ## 1.10.0
{{< release-date date="2024-06-26" >}} {{< release-date date="2024-06-26" >}}
@ -68,16 +115,16 @@ and the `docker/scout-action` [GitHub Action](https://github.com/docker/scout-ac
DOCKER_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG DOCKER_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
before_script: before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
# Install curl and the Docker Scout CLI # Install curl and the Docker Scout CLI
- | - |
apk add --update curl apk add --update curl
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
apk del curl apk del curl
rm -rf /var/cache/apk/* rm -rf /var/cache/apk/*
# Login to Docker Hub required for Docker Scout CLI # Login to Docker Hub required for Docker Scout CLI
- echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin - echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin
# All branches are tagged with $DOCKER_IMAGE_NAME (defaults to commit ref slug) # All branches are tagged with $DOCKER_IMAGE_NAME (defaults to commit ref slug)
# Default branch is also tagged with `latest` # Default branch is also tagged with `latest`
script: script:
@ -118,7 +165,7 @@ Discarded in favor of [1.9.1](#191).
### Bug fixes and enhancements ### Bug fixes and enhancements
- Improve format of EPSS score and percentile. - Improve format of EPSS score and percentile.
Before: Before:
```text ```text
@ -249,7 +296,7 @@ Discarded in favor of [1.9.1](#191).
### Bug fixes and enhancements ### Bug fixes and enhancements
- Use Windows cache from WSL2 - Use Windows cache from WSL2
When inside WSL2 with Docker Desktop running, the Docker Scout CLI plugin now When inside WSL2 with Docker Desktop running, the Docker Scout CLI plugin now
uses the cache from Windows. That way, if an image has been indexed for uses the cache from Windows. That way, if an image has been indexed for
instance by Docker Desktop there's no need anymore to re-index it on WSL2 instance by Docker Desktop there's no need anymore to re-index it on WSL2

4
go.mod
View File

@ -8,7 +8,7 @@ require (
github.com/docker/buildx v0.16.2 // indirect github.com/docker/buildx v0.16.2 // indirect
github.com/docker/cli v27.0.3+incompatible // indirect github.com/docker/cli v27.0.3+incompatible // indirect
github.com/docker/compose/v2 v2.29.1 // indirect github.com/docker/compose/v2 v2.29.1 // indirect
github.com/docker/scout-cli v1.10.0 // indirect github.com/docker/scout-cli v1.11.0 // indirect
github.com/moby/buildkit v0.15.1 // indirect github.com/moby/buildkit v0.15.1 // indirect
github.com/moby/moby v27.0.3+incompatible // indirect github.com/moby/moby v27.0.3+incompatible // indirect
) )
@ -17,7 +17,7 @@ replace (
github.com/docker/buildx => github.com/docker/buildx v0.16.2 github.com/docker/buildx => github.com/docker/buildx v0.16.2
github.com/docker/cli => github.com/docker/cli v27.0.3+incompatible github.com/docker/cli => github.com/docker/cli v27.0.3+incompatible
github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.29.0 github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.29.0
github.com/docker/scout-cli => github.com/docker/scout-cli v1.10.0 github.com/docker/scout-cli => github.com/docker/scout-cli v1.11.0
github.com/moby/buildkit => github.com/moby/buildkit v0.14.0-rc2.0.20240611065153-eed17a45c62b github.com/moby/buildkit => github.com/moby/buildkit v0.14.0-rc2.0.20240611065153-eed17a45c62b
github.com/moby/moby => github.com/moby/moby v27.0.3+incompatible github.com/moby/moby => github.com/moby/moby v27.0.3+incompatible
) )

2
go.sum
View File

@ -200,6 +200,8 @@ github.com/docker/scout-cli v1.9.3 h1:u3lKQ7A1EvT3qNe5lR2c8dTNcAGIoSmH8HvSYarLlJ
github.com/docker/scout-cli v1.9.3/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc= github.com/docker/scout-cli v1.9.3/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/docker/scout-cli v1.10.0 h1:C8Gm+6Oc7NqhtZ/UoACv3N2LaP1jqkhlIDRhBOqMBng= github.com/docker/scout-cli v1.10.0 h1:C8Gm+6Oc7NqhtZ/UoACv3N2LaP1jqkhlIDRhBOqMBng=
github.com/docker/scout-cli v1.10.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc= github.com/docker/scout-cli v1.10.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/docker/scout-cli v1.11.0 h1:I310kNhjw3oeKe8T1cQEh6yPgy6VtpuwzjWchETn8KU=
github.com/docker/scout-cli v1.11.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=