docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

scout: remove "All critical vulnerabilities" policy 

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
This commit is contained in:
David Karlsson 2024-03-12 18:14:09 +01:00
parent 096726e895
commit f69bd6c1de
4 changed files with 41 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
content/scout/policy/_index.md
View File

@ -31,11 +31,11 @@ what vulnerabilities they're exposed to. Policy Evaluation builds on top of the
image analysis feature, interpreting the analysis results against the rules
defined by policies.
A policy defines one or more criteria that your artifacts should fulfill. For
example, one of the default policies in Docker Scout is the **Critical
vulnerabilities** policy, which requires that your artifacts must not contain
any critical vulnerabilities. If an artifact contains one or more
vulnerabilities with a critical severity, that artifact fails the evaluation.
A policy defines image quality criteria that your artifacts should fulfill.
For example, the **Copyleft licenses** policy flags packages distributed under a copyleft license.
If an image contains a copyleft-licensed package, that image is non-compliant with this policy.
Some policies, such as the **Copyleft licenses** policy, are configurable.
Configurable policies let you adjust the criteria to better match your organization's needs.
In Docker Scout, policies are designed to help you ratchet forward your
security and supply chain stature. Where other tools focus on providing a pass
@ -55,7 +55,6 @@ image up-to-dateness.
Docker Scout ships the following out-of-the-box policies:
- [Fixable critical and high vulnerabilities](#fixable-critical-and-high-vulnerabilities)
- [Critical vulnerabilities](#critical-vulnerabilities)
- [Copyleft licenses](#copyleft-licenses)
- [Outdated base images](#outdated-base-images)
- [High-profile vulnerabilities](#high-profile-vulnerabilities)
@ -90,19 +89,6 @@ or high-severity vulnerability, where a fix version is available.
You can configure the severity level and age thresholds by creating a custom
policy. For more information, see [Configure policies](./configure.md).
### Critical vulnerabilities
The **Critical vulnerabilities** policy requires that your artifacts contain no
known critical vulnerabilities. The policy is unfulfilled if your artifact
contains one or more critical vulnerabilities.
This policy flags all critical vulnerabilities, whether or not there's a fix
version available, and regardless of how long it's been since the vulnerability
was first disclosed.
You can configure the severity level by creating a custom policy, see
[Configure policies](./configure.md).
### Copyleft licenses
The **Copyleft licenses** policy requires that your artifacts don't contain

45
content/scout/policy/view.md
View File

@ -83,26 +83,37 @@ $ docker scout policy \
--platform linux/amd64 \
dockerscoutpolicy/email-api-service:0.0.2
Image reference: dockerscoutpolicy/email-api-service:0.0.2
Digest: sha256:17b1fde0329c71af302b6391fc73a08f56cb8c33e7eea7a33b61a24cedbf2b69
Platform: linux/amd64
## Overview
Policy status: FAILED (1/3 policies violated)
Policy │ Results
─────────────────────────────────────────────────┼────────────────────
✓ Critical and high vulnerabilities with fixes │ 0 vulnerabilities
✗ Critical vulnerabilities │ 1C
✓ Packages with GPL3+ licenses │ 0 packages
✓ Pulled
✓ Policy evaluation results found
## "Critical vulnerabilities" policy evaluation results
## Overview
│ Analyzed Image
​─────────────┼──────────────────────────────────────────────
Target │ dockerscoutpolicy/email-api-service:0.0.2
digest │ 17b1fde0329c
platform │ linux/amd64
## Policies
Policy status FAILED (2/8 policies met, 3 missing data)
Status │ Policy │ Results
​─────────┼───────────────────────────────────────────┼──────────────────────────────
✓ │ Copyleft licenses │ 0 packages
! │ Default non-root user │
! │ Fixable critical and high vulnerabilities │ 2C 1H 0M 0L
✓ │ High-profile vulnerabilities │ 0C 0H 0M 0L
? │ Outdated base images │ No data
│ │ Learn more ↗
? │ Quality gates passed │ No data
│ │ Learn more ↗
! │ Supply chain attestations │ 2 deviations
? │ Unapproved base images │ No data
Vulnerability │ Severity │ Current package version │ Fix version
─────────────────┼────────────┼─────────────────────────────────────────────────────────────────┼──────────────
CVE-2022-48174 │ CRITICAL │ pkg:apk/alpine/busybox@1.36.1-r0?os_name=alpine&os_version=3.18 │ 1.36.1-r1
...
```
For more information about the command, refer to the [CLI

3
content/scout/quickstart.md
View File

@ -154,12 +154,11 @@ The image is evaluated against the default, out-of-the-box policies.
$ docker scout quickview
...
Policy status FAILED (2/7 policies met, 2 missing data)
Policy status FAILED (2/6 policies met, 2 missing data)
Status │ Policy │ Results
─────────┼───────────────────────────────────────────┼──────────────────────────────
✓ │ Copyleft licenses │ 0 packages
! │ Critical vulnerabilities │ 2C 0H 0M 0L
! │ Default non-root user │
! │ Fixable critical and high vulnerabilities │ 2C 16H 0M 0L
✓ │ High-profile vulnerabilities │ 0C 0H 0M 0L

7
content/scout/release-notes.md
View File

@ -16,6 +16,13 @@ for what's coming next.
New features and enhancements released in Q1 of 2024.
### 2024-03-14
The **All critical vulnerabilities** policy has been removed.
The **Fixable critical and high vulnerabilities** policy provides similar functionality,
and will be updated in the future to allow for more extensive customization,
making the now-removed **All critical vulnerabilities** policy redundant.
### 2024-01-26
**Azure Container Registry** integration graduated from