Merge pull request #19070 from dvdksn/scout-policy-base-image-from-approved-src

scout(policy): Unapproved base images
2024-01-23 21:24:37 +01:00 · 2024-01-23 21:24:37 +01:00 · d176a6c330
parent ebbdd919a3 cf462ad11a
commit d176a6c330
2 changed files with 64 additions and 16 deletions
--- a/content/scout/policy/_index.md
+++ b/content/scout/policy/_index.md
@ -62,6 +62,7 @@ Docker Scout ships the following out-of-the-box policies:
 - [Supply chain attestations](#supply-chain-attestations)
 - [Quality gates passed](#quality-gates-passed)
 - [Default non-root user](#default-non-root-user)
+- [Unapproved base images](#unapproved-base-images)

 To give you a head start, Scout enables several policies by default for your
 Scout-enabled repositories. You can customize the default configurations to
@ -124,22 +125,8 @@ It's unfulfilled when the tag you used to build your image points to a
 different digest than what you're using. If there's a mismatch in digests, that
 means the base image you're using is out of date.

-#### No base image data
-
-There are cases when it's not possible to determine whether or not the base
-image is up-to-date. In such cases, the **Outdated base images** policy
-gets flagged as having **No data**.
-
-This occurs when:
-
- Docker Scout doesn't know what base image tag you used
- The base image version you used has multiple tags, but not all tags are out
-  of date
-
-To make sure that Docker Scout always knows about your base image, you can
-attach [provenance attestations](../../build/attestations/slsa-provenance.md)
-at build-time. Docker Scout uses provenance attestations to find out the base
-image version.
+Your images need provenance attestations for this policy to successfully
+evaluate. For more information, see [No base image data](#no-base-image-data).

 ### High-profile vulnerabilities

@ -283,3 +270,54 @@ ENTRYPOINT ["/app/production"]

 {{< /tab >}}
 {{< /tabs >}}
+
+### Unapproved base images
+
+The **Unapproved base images** policy lets you restrict which base
+images you allow in your builds.
+
+This policy checks whether the base images used in your builds match any of the
+patterns specified in the policy configuration. The following table shows a few
+example patterns for this policy.
+
+| Use case                                                        | Pattern                          |
+| --------------------------------------------------------------- | -------------------------------- |
+| Allow all images from Docker Hub                                | `docker.io/*`                    |
+| Allow all Docker Official Images                                | `docker.io/library/*`            |
+| Allow images from a specific organization                       | `docker.io/orgname/*`            |
+| Allow tags of a specific repository                             | `docker.io/orgname/repository:*` |
+| Allow images on a registry with hostname `registry.example.com` | `registry.example.com/*`         |
+| Allow slim tags of NodeJS images                                | `docker.io/library/node:*-slim`  |
+
+An asterisk (`*`) matches up until the character that follows, or until the end
+of the image reference. Note that the `docker.io` prefix is required in order
+to match Docker Hub images. This is the registry hostname of Docker Hub.
+
+This policy isn't enabled by default. To enable the policy:
+
+1. Go to the [Docker Scout Dashboard](https://scout.docker.com/).
+2. Go to the **Policies** section.
+3. Select the **Unapproved base images** policy in the list.
+4. Enter the patterns that you want to allow.
+5. Select **Save and enable**. The policy is now enabled for your current
+   organization.
+
+Your images need provenance attestations for this policy to successfully
+evaluate. For more information, see [No base image data](#no-base-image-data).
+
+## No base image data
+
+There are cases when it's not possible to determine information about the base
+images used in your builds. In such cases, the **Outdated base images** and
+**Unapproved base images** policies get flagged as having **No data**.
+
+This "no data" state occurs when:
+
+- Docker Scout doesn't know what base image tag you used
+- The base image version you used has multiple tags, but not all tags are out
+  of date
+
+To make sure that Docker Scout always knows about your base image, you can
+attach [provenance attestations](../../build/attestations/slsa-provenance.md)
+at build-time. Docker Scout uses provenance attestations to find out the base
+image version.
--- a/content/scout/release-notes.md
+++ b/content/scout/release-notes.md
@ -12,6 +12,16 @@ the `docker/scout-cli` [GitHub repository](https://github.com/docker/scout-cli/r
 Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/projects/1)
 for what's coming next.

+## 2024-01-23
+
+New **Unapproved base images** policy, which lets you restrict which base
+images you allow in your builds. You define the allowed base images using a
+pattern. Base images whose image reference don't match the specified patterns
+cause the policy to fail.
+
+For more information, see
+[Unapproved base images](./policy/_index.md#unapproved-base-images).
+
 ## 2024-01-12

 New **Default non-root user** policy, which flags images that would run as the