These notes include changes part of v1.4.0

Highlights

• Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557)
• Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912
• Support cosign SBOM attestations
• Support for VEX in-toto attestations

Bug fixes / Improvements

• Fix platform detection when an image index contains linux/arm64/v8 but the local platform is only linux/arm64
• Fix display of the base image in case the base image is not indexed by docker scout but defined in the provenance attestation (for private or non Docker Trusted Content base images)
  Affects quickview and recommendations commands
• Fix panic when an SBOM contains no packages
  Especially when using docker scout to analyse local file system, for instance using docker scout cves fs://.
• Bump Syft to 102 to fix golang Purl with subpath
• Add support for subpaths in PURLs
  For instance an image containing both packages github.com/gofiber/template and github.com/gofiber/template/django/v3, previously the two packages were visible under the same github.com/gofiber/template name. Now both of them are correctly identified

• Update syft to v0.100.0
• Support in-toto envelope layer in attestations
• Improve display of policy results in case of a boolean policy

What's Changed

• Fix link rendering growing the column by @cdupuis
• No cache and docs by @cdupuis
• Add correlation headers by @cdupuis
• Allow to pass in additional SBOM catalogers by @cdupuis
• Add No Data link for SonarQube policy by @felipecruz91
• Policy fixes by @cdupuis

What's Changed

• Display configurable policy names by @felipecruz91
• Add support for writing SDPX and CycloneDx to file by @cdupuis
• Support ACR in docker scout repo commands by @velll
• Docs cli reference refresh by @dvdksn

Fix issue when organization is not set but is needed.

Now the GHA will not panic and will print a message when organization is required. For instance when comparing image to the one of an environment or when recording an image to an environment.

- uses: docker/[email protected]
  with:
    command: compare
    image: ${{ step.meta.outputs.tags }}
    to-env: staging
    organization: my-docker-org

- uses: docker/[email protected]
  with:
    command: environment
    image: ${{ step.meta.outputs.tags }}
    environment: staging
    organization: my-docker-org

rel: https://github.com/docker/scout-action/issues/14

Environment

Record an image to an environment:

- uses: docker/[email protected]
  with:
    command: environment
    image: ${{ step.meta.outputs.tags }}
    environment: staging

Compare to environment

Compare an image to the newest one for a specific environment:

- uses: docker/[email protected]
  with:
    command: compare
    image: ${{ step.meta.outputs.tags }}
    to-env: staging

Namespace of Docker Organization

Indicate the namespace of your Docker organization to match the right data from https://scout.docker.com. For instance when you compare an image not on https://hub.docker.com

- uses: docker/[email protected]
  with:
    command: compare
    image: my-registy-1.example.com/repository:tag
    to-latest: true
    organization: my-docker-org

please use v0.23.2 or newer that fixes some issues regarding organization flag below.

Environment

Record an image to an environment:

- uses: docker/[email protected]
  with:
    command: environment
    image: ${{ step.meta.outputs.tags }}
    environment: staging

Compare to environment

Compare an image to the newest one for a specific environment:

- uses: docker/[email protected]
  with:
    command: compare
    image: ${{ step.meta.outputs.tags }}
    to-env: staging

Namespace of Docker Organization

Indicate the namespace of your Docker organization to match the right data from https://scout.docker.com. For instance when you compare an image not on https://hub.docker.com

- uses: docker/[email protected]
  with:
    command: compare
    image: my-registy-1.example.com/repository:tag
    to-latest: true
    organization: my-docker-org

What's Changed

• Don't fail docker scout push when base image is unavailable by @cdupuis

What's Changed

• Allow docker scout push for local images by @cdupuis

What's Changed

• Add —stream to cves and quickview by @cdupuis
• Add repo url to version hint by @cdupuis
• GHA README: Add stream example by @mikeparker

New Contributors

• @mikeparker made their first contribution

What's changed

• Fix error handling with missing/invalid attestation by @cdupuis
• Use OSC 8 hyperlinks by @cdupuis
• Support for multi-stage SBOMs by @cdupuis

What's Changed

• Lowercase image refs for GitHub Action by @mcapell
• Fix --exit-code on cves command in GitHub Action by @cdupuis
• Add push command to upload an image to Docker Scout by @cdupuis
• Require login for GitHub Action and reject CSP accounts by @cdupuis

What's Changed

• Correct type in stream help text by @cdupuis

What's Changed

• Add recommendations command to GHA by @mcapell
• Improve output for cves command in GHA by @eunomie