diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md index 657c77fbb6..60cbefef45 100644 --- a/content/scout/policy/_index.md +++ b/content/scout/policy/_index.md @@ -31,11 +31,11 @@ what vulnerabilities they're exposed to. Policy Evaluation builds on top of the image analysis feature, interpreting the analysis results against the rules defined by policies. -A policy defines one or more criteria that your artifacts should fulfill. For -example, one of the default policies in Docker Scout is the **Critical -vulnerabilities** policy, which requires that your artifacts must not contain -any critical vulnerabilities. If an artifact contains one or more -vulnerabilities with a critical severity, that artifact fails the evaluation. +A policy defines image quality criteria that your artifacts should fulfill. +For example, the **Copyleft licenses** policy flags packages distributed under a copyleft license. +If an image contains a copyleft-licensed package, that image is non-compliant with this policy. +Some policies, such as the **Copyleft licenses** policy, are configurable. +Configurable policies let you adjust the criteria to better match your organization's needs. In Docker Scout, policies are designed to help you ratchet forward your security and supply chain stature. Where other tools focus on providing a pass @@ -55,7 +55,6 @@ image up-to-dateness. Docker Scout ships the following out-of-the-box policies: - [Fixable critical and high vulnerabilities](#fixable-critical-and-high-vulnerabilities) -- [Critical vulnerabilities](#critical-vulnerabilities) - [Copyleft licenses](#copyleft-licenses) - [Outdated base images](#outdated-base-images) - [High-profile vulnerabilities](#high-profile-vulnerabilities) @@ -90,19 +89,6 @@ or high-severity vulnerability, where a fix version is available. You can configure the severity level and age thresholds by creating a custom policy. For more information, see [Configure policies](./configure.md). -### Critical vulnerabilities - -The **Critical vulnerabilities** policy requires that your artifacts contain no -known critical vulnerabilities. The policy is unfulfilled if your artifact -contains one or more critical vulnerabilities. - -This policy flags all critical vulnerabilities, whether or not there's a fix -version available, and regardless of how long it's been since the vulnerability -was first disclosed. - -You can configure the severity level by creating a custom policy, see -[Configure policies](./configure.md). - ### Copyleft licenses The **Copyleft licenses** policy requires that your artifacts don't contain diff --git a/content/scout/policy/view.md b/content/scout/policy/view.md index 29478fb012..db7ae2d8bb 100644 --- a/content/scout/policy/view.md +++ b/content/scout/policy/view.md @@ -83,26 +83,37 @@ $ docker scout policy \ --platform linux/amd64 \ dockerscoutpolicy/email-api-service:0.0.2 -Image reference: dockerscoutpolicy/email-api-service:0.0.2 -Digest: sha256:17b1fde0329c71af302b6391fc73a08f56cb8c33e7eea7a33b61a24cedbf2b69 -Platform: linux/amd64 - -## Overview - -Policy status: FAILED (1/3 policies violated) - - Policy │ Results -─────────────────────────────────────────────────┼──────────────────── - ✓ Critical and high vulnerabilities with fixes │ 0 vulnerabilities - ✗ Critical vulnerabilities │ 1C - ✓ Packages with GPL3+ licenses │ 0 packages + ✓ Pulled + ✓ Policy evaluation results found -## "Critical vulnerabilities" policy evaluation results +​## Overview +​ +​ │ Analyzed Image +​─────────────┼────────────────────────────────────────────── +​ Target │ dockerscoutpolicy/email-api-service:0.0.2 +​ digest │ 17b1fde0329c +​ platform │ linux/amd64 +​ +​ +​## Policies +​ +​Policy status FAILED (2/8 policies met, 3 missing data) +​ +​ Status │ Policy │ Results +​─────────┼───────────────────────────────────────────┼────────────────────────────── +​ ✓ │ Copyleft licenses │ 0 packages +​ ! │ Default non-root user │ +​ ! │ Fixable critical and high vulnerabilities │ 2C 1H 0M 0L +​ ✓ │ High-profile vulnerabilities │ 0C 0H 0M 0L +​ ? │ Outdated base images │ No data +​ │ │ Learn more ↗ +​ ? │ Quality gates passed │ No data +​ │ │ Learn more ↗ +​ ! │ Supply chain attestations │ 2 deviations +​ ? │ Unapproved base images │ No data - Vulnerability │ Severity │ Current package version │ Fix version -─────────────────┼────────────┼─────────────────────────────────────────────────────────────────┼────────────── - CVE-2022-48174 │ CRITICAL │ pkg:apk/alpine/busybox@1.36.1-r0?os_name=alpine&os_version=3.18 │ 1.36.1-r1 +... ``` For more information about the command, refer to the [CLI diff --git a/content/scout/quickstart.md b/content/scout/quickstart.md index 7b6b2aad33..0965ef3321 100644 --- a/content/scout/quickstart.md +++ b/content/scout/quickstart.md @@ -154,12 +154,11 @@ The image is evaluated against the default, out-of-the-box policies. $ docker scout quickview ... -Policy status FAILED (2/7 policies met, 2 missing data) +Policy status FAILED (2/6 policies met, 2 missing data) Status │ Policy │ Results ─────────┼───────────────────────────────────────────┼────────────────────────────── ✓ │ Copyleft licenses │ 0 packages - ! │ Critical vulnerabilities │ 2C 0H 0M 0L ! │ Default non-root user │ ! │ Fixable critical and high vulnerabilities │ 2C 16H 0M 0L ✓ │ High-profile vulnerabilities │ 0C 0H 0M 0L diff --git a/content/scout/release-notes.md b/content/scout/release-notes.md index d082188267..3402e9fa9f 100644 --- a/content/scout/release-notes.md +++ b/content/scout/release-notes.md @@ -16,6 +16,13 @@ for what's coming next. New features and enhancements released in Q1 of 2024. +### 2024-03-14 + +The **All critical vulnerabilities** policy has been removed. +The **Fixable critical and high vulnerabilities** policy provides similar functionality, +and will be updated in the future to allow for more extensive customization, +making the now-removed **All critical vulnerabilities** policy redundant. + ### 2024-01-26 **Azure Container Registry** integration graduated from