docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20792 from dvdksn/scout-org-policy-scores 

scout: scores now based on org policy config
This commit is contained in:
David Karlsson 2024-09-09 18:32:24 +02:00 committed by GitHub
parent 3cc95a27be bd0a846f25
commit ccc4db3779
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 43 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
content/manuals/scout/policy/scores.md
View File

@ -51,18 +51,32 @@ along with each policy that contributed to the score.
## Scoring system ## Scoring system
Health scores are determined by evaluating images against a set of Docker Scout Health scores are determined by evaluating images against Docker Scout
[policies](./_index.md). These policies align with best practices for [policies](./_index.md). These policies align with best practices for
the software supply chain and are recommended by Docker as foundational the software supply chain and are recommended by Docker as foundational
standards for images. standards for images. Some examples of these policies include:
- **Supply chain attestations**: Images should have supply chain attestations.
- **No outdated base images**: Images should not use outdated base images.
- **No AGPL v3 licenses**: Images should not contain AGPL v3-licensed packages.
If your image repositories are already enrolled with Docker Scout, the health
score is calculated automatically based on the policies that are enabled for
your organization. This also includes any custom policies that you have
configured.
If you're not using Docker Scout, the health scores show the compliance of your
images with the default, [out-of-the-box policies](/manuals/scout/policy/_index.md#out-of-the-box-policies).
You can enable Docker Scout for your organization to get a more relevant health
score based on your specific policies.
### Scoring process
Each policy is assigned a points value. If the image is compliant with a Each policy is assigned a points value. If the image is compliant with a
policy, it is awarded the points value for that policy. The health score of an policy, it is awarded the points value for that policy. The health score of an
image is calculated based on the percentage of points achieved relative to the image is calculated based on the percentage of points achieved relative to the
total possible points. total possible points.
### Scoring process
1. Policy compliance is evaluated for the image. 1. Policy compliance is evaluated for the image.
2. Points are awarded based on adherence to these policies. 2. Points are awarded based on adherence to these policies.
3. The points achieved percentage is calculated: 3. The points achieved percentage is calculated:
@ -102,15 +116,18 @@ If you see an `N/A` score, consider the following:
The policies that influence the score, and their respective weights, are as follows: The policies that influence the score, and their respective weights, are as follows:
| Policy | Points | | Policy | Points |
| ---------------------------------------------------------------------------------------------------------- | ------ | | -------------------------------------------------------------------------------------------------------------------------- | ------ |
| [No fixable critical or high vulnerabilities](/scout/policy#no-fixable-critical-or-high-vulnerabilities) | 20 | | [No fixable critical or high vulnerabilities](/manuals/scout/policy/_index.md#no-fixable-critical-or-high-vulnerabilities) | 20 |
| [No high-profile vulnerabilities](/scout/policy#no-high-profile-vulnerabilities) | 20 | | [No high-profile vulnerabilities](/manuals/scout/policy/_index.md#no-high-profile-vulnerabilities) | 20 |
| [Supply chain attestations](/scout/policy#supply-chain-attestations) | 15 | | [Supply chain attestations](/manuals/scout/policy/_index.md#supply-chain-attestations) | 15 |
| [No unapproved base images](/scout/policy/#no-unapproved-base-images) | 15 | | [No unapproved base images](/manuals/scout/policy/_index.md#no-unapproved-base-images) | 15 |
| [No outdated base images](/scout/policy#no-outdated-base-images) | 10 | | [No outdated base images](/manuals/scout/policy/_index.md#no-outdated-base-images) | 10 |
| [Default non-root user](/scout/policy#default-non-root-user) | 5 | | [SonarQube quality gates passed](/manuals/scout/policy/_index.md#sonarqube-quality-gates-passed) \* | 10 |
| [No AGPL v3 licenses](/manuals/scout/policy/_index.md#no-agpl-v3-licenses) | 5 | | [Default non-root user](/manuals/scout/policy/_index.md#default-non-root-user) | 5 |
| [No AGPL v3 licenses](/manuals/scout/policy/_index.md#no-agpl-v3-licenses) | 5 |
\* _This policy is not enabled by default and must be configured by the user._
### Evaluation ### Evaluation

13
content/manuals/scout/release-notes/platform.md
View File

@ -20,6 +20,19 @@ for what's coming next.
New features and enhancements released in the third quarter of 2024. New features and enhancements released in the third quarter of 2024.
### 2024-09-05
This release changes how [health scores](/manuals/scout/policy/scores.md) are
calculated in Docker Scout. The health score calculation now considers optional
and custom policies that you have configured for your organization.
This means that if you have enabled, disabled, or customized any of the default
policies, Docker Scout will now take those policies into account when
calculating the health score for your organization's images.
If you haven't yet enabled Docker Scout for your organization, the health score
calculation will be based on the out-of-the-box policies.
### 2024-08-13 ### 2024-08-13
This release changes the out-of-the-box policies to align with the policy This release changes the out-of-the-box policies to align with the policy