mirror of https://github.com/docker/docs.git
scout: restructure learning path, add videos
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
This commit is contained in:
parent
51041c705f
commit
e26c7303c2
|
@ -14,7 +14,7 @@ aliases:
|
||||||
params:
|
params:
|
||||||
featured: true
|
featured: true
|
||||||
image: images/learning-paths/scout.png
|
image: images/learning-paths/scout.png
|
||||||
time: 10 minutes
|
time: 20 minutes
|
||||||
resource_links:
|
resource_links:
|
||||||
- title: Docker Scout overview
|
- title: Docker Scout overview
|
||||||
url: /scout/
|
url: /scout/
|
||||||
|
@ -22,8 +22,6 @@ params:
|
||||||
url: /scout/quickstart/
|
url: /scout/quickstart/
|
||||||
- title: Install Docker Scout
|
- title: Install Docker Scout
|
||||||
url: /scout/install/
|
url: /scout/install/
|
||||||
- title: Software Bill of Materials
|
|
||||||
url: /scout/concepts/sbom/
|
|
||||||
---
|
---
|
||||||
|
|
||||||
When container images are insecure, significant risks can arise. Around 60% of
|
When container images are insecure, significant risks can arise. Around 60% of
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
---
|
||||||
|
title: Attestations
|
||||||
|
keywords: build, attestations, sbom, provenance, metadata
|
||||||
|
description: |
|
||||||
|
Introduction to SBOM and provenance attestations with Docker Build,
|
||||||
|
what they are, and why they exist
|
||||||
|
weight: 50
|
||||||
|
---
|
||||||
|
|
||||||
|
{{< youtube-embed qOzcycbTs4o >}}
|
||||||
|
|
||||||
|
[Build attestations](/manuals/build/metadata/attestations/_index.md) give you
|
||||||
|
detailed information about how an image was built and what it contains. These
|
||||||
|
attestations, generated by BuildKit during build-time, attach to the final
|
||||||
|
image as metadata, allowing you to inspect an image to see its origin, creator,
|
||||||
|
and contents. This information helps you make informed decisions about the
|
||||||
|
security and impact of the image on your supply chain.
|
||||||
|
|
||||||
|
Docker Scout uses these attestations to evaluate the image's security and
|
||||||
|
supply chain posture, and to provide remediation recommendations for issues. If
|
||||||
|
issues are detected, such as missing or outdated attestations, Docker Scout can
|
||||||
|
guide you on how to add or update them, ensuring compliance and improving
|
||||||
|
visibility into the image's security status.
|
||||||
|
|
||||||
|
There are two key types of attestations:
|
||||||
|
|
||||||
|
- SBOM, which lists the software artifacts within the image.
|
||||||
|
- Provenance, which details how the image was built.
|
||||||
|
|
||||||
|
You can create attestations by using `docker buildx build` with the
|
||||||
|
`--provenance` and `--sbom` flags. Attestations attach to the image index,
|
||||||
|
allowing you to inspect them without pulling the entire image. Docker Scout
|
||||||
|
leverages this metadata to give you more precise recommendations and better
|
||||||
|
control over your image's security.
|
||||||
|
|
||||||
|
<div id="scout-lp-survey-anchor"></div>
|
|
@ -1,7 +1,6 @@
|
||||||
---
|
---
|
||||||
title: Common challenges and questions
|
title: Common challenges and questions
|
||||||
description: Explore common challenges and questions related to Docker Scout.
|
description: Explore common challenges and questions related to Docker Scout.
|
||||||
weight: 30
|
|
||||||
---
|
---
|
||||||
|
|
||||||
<!-- vale Docker.HeadingLength = NO -->
|
<!-- vale Docker.HeadingLength = NO -->
|
||||||
|
|
|
@ -1,9 +1,12 @@
|
||||||
---
|
---
|
||||||
title: Docker Scout demo
|
title: Docker Scout demo
|
||||||
|
linkTitle: Demo
|
||||||
description: Learn about Docker Scout's powerful features for enhanced supply chain security.
|
description: Learn about Docker Scout's powerful features for enhanced supply chain security.
|
||||||
weight: 20
|
weight: 20
|
||||||
---
|
---
|
||||||
|
|
||||||
|
{{< youtube-embed "TkLwJ0p46W8" >}}
|
||||||
|
|
||||||
Docker Scout has powerful features for enhancing containerized application
|
Docker Scout has powerful features for enhancing containerized application
|
||||||
security and ensuring a robust software supply chain.
|
security and ensuring a robust software supply chain.
|
||||||
|
|
||||||
|
@ -15,6 +18,4 @@ security and ensuring a robust software supply chain.
|
||||||
removing unnecessary packages
|
removing unnecessary packages
|
||||||
- Verify and validate remediation efforts using Docker Scout
|
- Verify and validate remediation efforts using Docker Scout
|
||||||
|
|
||||||
{{< youtube-embed "TkLwJ0p46W8" >}}
|
|
||||||
|
|
||||||
<div id="scout-lp-survey-anchor"></div>
|
<div id="scout-lp-survey-anchor"></div>
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
title: Remediation
|
||||||
|
description: Learn how Docker Scout can help you improve your software quality automatically, using remediation
|
||||||
|
keywords: scout, supply chain, security, remediation, automation
|
||||||
|
weight: 60
|
||||||
|
---
|
||||||
|
|
||||||
|
{{< youtube-embed jM9zLBf8M-8 >}}
|
||||||
|
|
||||||
|
Docker Scout's [remediation feature](/manuals/scout/policy/remediation.md)
|
||||||
|
helps you address supply chain and security issues by offering tailored
|
||||||
|
recommendations based on policy evaluations. These recommendations guide you in
|
||||||
|
improving policy compliance or enhancing image metadata, allowing Docker Scout
|
||||||
|
to perform more accurate evaluations in the future.
|
||||||
|
|
||||||
|
You can use this feature to ensure that your base images are up-to-date and
|
||||||
|
that your supply chain attestations are complete. When a violation occurs,
|
||||||
|
Docker Scout provides recommended fixes, such as updating your base image or
|
||||||
|
adding missing attestations. If there isn’t enough information to determine
|
||||||
|
compliance, Docker Scout suggests actions to help resolve the issue.
|
||||||
|
|
||||||
|
In the Docker Scout Dashboard, you can view and act on these recommendations by
|
||||||
|
reviewing violations or compliance uncertainties. With integrations like
|
||||||
|
GitHub, you can even automate updates, directly fixing issues from the
|
||||||
|
dashboard.
|
||||||
|
|
||||||
|
<div id="scout-lp-survey-anchor"></div>
|
|
@ -2,8 +2,13 @@
|
||||||
title: Software supply chain security
|
title: Software supply chain security
|
||||||
description: Learn about software supply chain security (S3C), what it means, and why it is important.
|
description: Learn about software supply chain security (S3C), what it means, and why it is important.
|
||||||
keywords: docker scout, secure, software, supply, chain, security, sssc, sscs, s3c
|
keywords: docker scout, secure, software, supply, chain, security, sssc, sscs, s3c
|
||||||
|
aliases:
|
||||||
|
- /scout/concepts/s3c/
|
||||||
|
weight: 30
|
||||||
---
|
---
|
||||||
|
|
||||||
|
{{< youtube-embed YzNK6E7APv0 >}}
|
||||||
|
|
||||||
The term "software supply chain" refers to the end-to-end process of developing
|
The term "software supply chain" refers to the end-to-end process of developing
|
||||||
and delivering software, from the development to deployment and maintenance.
|
and delivering software, from the development to deployment and maintenance.
|
||||||
Software supply chain security, or "S3C" for short, is the practice for
|
Software supply chain security, or "S3C" for short, is the practice for
|
||||||
|
@ -39,7 +44,7 @@ day where software is built using multiple components from different sources.
|
||||||
Organizations need to have a clear understanding of the software components
|
Organizations need to have a clear understanding of the software components
|
||||||
they use, and the security risks associated with them.
|
they use, and the security risks associated with them.
|
||||||
|
|
||||||
## Docker Scout
|
## How Docker Scout is different
|
||||||
|
|
||||||
Docker Scout is a platform designed to help organizations secure their software
|
Docker Scout is a platform designed to help organizations secure their software
|
||||||
supply chain. It provides tools and services for identifying and managing
|
supply chain. It provides tools and services for identifying and managing
|
||||||
|
@ -53,9 +58,11 @@ updated risk assessment is available within seconds, and earlier in the
|
||||||
development process.
|
development process.
|
||||||
|
|
||||||
Docker Scout works by analyzing the composition of your images to create a
|
Docker Scout works by analyzing the composition of your images to create a
|
||||||
[Software Bill of Materials (SBOM)](/manuals/scout/concepts/sbom.md). The SBOM is
|
Software Bill of Materials (SBOM). The SBOM is cross-referenced against the
|
||||||
cross-referenced against the security advisories to identify CVEs that affect
|
security advisories to identify CVEs that affect your images. Docker Scout
|
||||||
your images. Docker Scout integrates with [over 20 different security
|
integrates with [over 20 different security
|
||||||
advisories](/manuals/scout/deep-dive/advisory-db-sources.md), and updates its
|
advisories](/manuals/scout/deep-dive/advisory-db-sources.md), and updates its
|
||||||
vulnerability database in real-time. This ensures that your security posture is
|
vulnerability database in real-time. This ensures that your security posture is
|
||||||
represented using the latest available information.
|
represented using the latest available information.
|
||||||
|
|
||||||
|
<div id="scout-lp-survey-anchor"></div>
|
|
@ -2,8 +2,13 @@
|
||||||
title: Software Bill of Materials
|
title: Software Bill of Materials
|
||||||
description: Learn about Software Bill of Materials (SBOM) and how Docker Scout uses it.
|
description: Learn about Software Bill of Materials (SBOM) and how Docker Scout uses it.
|
||||||
keywords: scout, sbom, software bill of materials, analysis, composition
|
keywords: scout, sbom, software bill of materials, analysis, composition
|
||||||
|
aliases:
|
||||||
|
- /scout/concepts/sbom/
|
||||||
|
weight: 40
|
||||||
---
|
---
|
||||||
|
|
||||||
|
{{< youtube-embed PbS4y7C7h4A >}}
|
||||||
|
|
||||||
A Bill of Materials (BOM) is a list of materials, parts, and the quantities of
|
A Bill of Materials (BOM) is a list of materials, parts, and the quantities of
|
||||||
each needed to manufacture a product. For example, a BOM for a computer might
|
each needed to manufacture a product. For example, a BOM for a computer might
|
||||||
list the motherboard, CPU, RAM, power supply, storage devices, case, and other
|
list the motherboard, CPU, RAM, power supply, storage devices, case, and other
|
||||||
|
@ -35,16 +40,10 @@ An SBOM typically includes the following information:
|
||||||
|
|
||||||
Docker Scout uses SBOMs to determine the components that are used in a Docker
|
Docker Scout uses SBOMs to determine the components that are used in a Docker
|
||||||
image. When you analyze an image, Docker Scout will either use the SBOM that is
|
image. When you analyze an image, Docker Scout will either use the SBOM that is
|
||||||
attached to the image (using [attestations](/manuals/build/metadata/attestations/_index.md)), or
|
attached to the image as an attestation, or it will generate an SBOM on the fly
|
||||||
it will generate an SBOM on the fly by analyzing the contents of the image.
|
by analyzing the contents of the image.
|
||||||
|
|
||||||
The SBOM is cross-referenced with the [advisory database](/manuals/scout/deep-dive/advisory-db-sources.md)
|
The SBOM is cross-referenced with the [advisory database](/manuals/scout/deep-dive/advisory-db-sources.md)
|
||||||
to determine if any of the components in the image have known vulnerabilities.
|
to determine if any of the components in the image have known vulnerabilities.
|
||||||
|
|
||||||
## Additional resources
|
<div id="scout-lp-survey-anchor"></div>
|
||||||
|
|
||||||
To learn more about generating SBOMs and how SBOMs are used in Docker Scout,
|
|
||||||
see:
|
|
||||||
|
|
||||||
- [Image analysis in Docker Scout](/manuals/scout/explore/analysis.md)
|
|
||||||
- [View and create SBOMs](/manuals/scout/how-tos/view-create-sboms.md)
|
|
|
@ -4,6 +4,8 @@ description: Learn how Docker Scout can help you secure your supply chain.
|
||||||
weight: 10
|
weight: 10
|
||||||
---
|
---
|
||||||
|
|
||||||
|
{{< youtube-embed "-omsQ7Uqyc4" >}}
|
||||||
|
|
||||||
Organizations face significant challenges from data breaches,
|
Organizations face significant challenges from data breaches,
|
||||||
including financial losses, operational disruptions, and long-term damage to
|
including financial losses, operational disruptions, and long-term damage to
|
||||||
brand reputation and customer trust. Docker Scout addresses critical problems
|
brand reputation and customer trust. Docker Scout addresses critical problems
|
||||||
|
@ -22,6 +24,4 @@ development process. It also integrates with popular development tools like
|
||||||
Docker Desktop and GitHub Actions, providing seamless security management and
|
Docker Desktop and GitHub Actions, providing seamless security management and
|
||||||
compliance checks within existing workflows.
|
compliance checks within existing workflows.
|
||||||
|
|
||||||
{{< youtube-embed "-omsQ7Uqyc4" >}}
|
|
||||||
|
|
||||||
<div id="scout-lp-survey-anchor"></div>
|
<div id="scout-lp-survey-anchor"></div>
|
||||||
|
|
|
@ -8,6 +8,8 @@ aliases:
|
||||||
- /build/attestations/
|
- /build/attestations/
|
||||||
---
|
---
|
||||||
|
|
||||||
|
{{< youtube-embed qOzcycbTs4o >}}
|
||||||
|
|
||||||
Build attestations describe how an image was built, and what it contains. The
|
Build attestations describe how an image was built, and what it contains. The
|
||||||
attestations are created at build-time by BuildKit, and become attached to the
|
attestations are created at build-time by BuildKit, and become attached to the
|
||||||
final image as metadata.
|
final image as metadata.
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
build:
|
|
||||||
render: never
|
|
||||||
title: Concepts
|
|
||||||
weight: 30
|
|
||||||
---
|
|
|
@ -8,6 +8,8 @@ keywords: scout, supply chain, security, remediation, automation
|
||||||
Remediation with Docker Scout is currently in [Beta](../../release-lifecycle.md#Beta).
|
Remediation with Docker Scout is currently in [Beta](../../release-lifecycle.md#Beta).
|
||||||
{{% /experimental %}}
|
{{% /experimental %}}
|
||||||
|
|
||||||
|
{{< youtube-embed 7PsZbAsPgsY >}}
|
||||||
|
|
||||||
Docker Scout helps you remediate supply chain or security issues by providing
|
Docker Scout helps you remediate supply chain or security issues by providing
|
||||||
recommendations based on policy evaluation results. Recommendations are
|
recommendations based on policy evaluation results. Recommendations are
|
||||||
suggested actions you can take that improve policy compliance, or that add
|
suggested actions you can take that improve policy compliance, or that add
|
||||||
|
|
Loading…
Reference in New Issue