scout-action

Highlights

• Add --only-policy filter option to quickview, policy and compare commands.
• Add --ignore-suppressed filter option to cves and quickview commands to filter out CVEs affected by Scout suppressions.

Bug Fixes / Improvements

• Use conditional policy name in checks.
• Enable detection golang main module via ldflags.

Contributors

Highlights

• Only display vulnerabilities from the base image:

  uses: docker/scout-action@v1
  with:
    command: cves
    image: [IMAGE]
    only-base: true
  

• Account for VEX in quickview command.

  uses: docker/scout-action@v1
  with:
    command: quickview
    image: [IMAGE]
    only-vex-affected: true
    vex-location: ./path/to/my.vex.json
  

• Account for VEX in cves command (GitHub Actions).

  uses: docker/scout-action@v1
  with:
    command: cves
    image: [IMAGE]
    only-vex-affected: true
    vex-location: ./path/to/my.vex.json
  

Bug Fixes / Improvements

• Update github.com/docker/docker to v26.1.5+incompatible to fix CVE-2024-41110.
• Update syft to 1.10.0.

Contributors

Highlights

• Filter CVEs listed in the CISA Known Exploited Vulnerabilities catalog.

  uses: docker/scout-action@v1
  with:
    command: cves
    image: [IMAGE]
    only-cisa-kev: true
  

Bug Fixes / Improvements

• Allow VEX matching when no subcomponents.
• Fix panic when attaching an invalid VEX document.
• Fix SPDX document root.
• Fix base image detection when image uses SCRATCH as the base image.

Contributors

Bug Fixes / Improvements

• Fix parsing image references in SPDX statement for images with a digest
• Support sbom:// prefix for image comparison (fixes #43)

  uses: docker/scout-action@v1
  with:
    command: compare
    image: sbom://image1.json
    to: sbom://image2.json
  

Contributors

Bug Fixes

• Fix a panic while retrieving cached SBOM

Contributor

General bug fixes and performance improvements

Support single arch images for attestation-add command.

Contributors

Highlights

• Add new attestation-add command to GHA
  This can be used to add Vex documents to images for instance. See the documentation on how to suppress image vulnerabilities with VEX

  uses: docker/scout-action@v1
  with:
    command: attestation-add
    image: IMAGE
    file: in-toto.vex.json
    predicate-type: https://openvex.dev/ns/v0.2.0
  

Bug Fixes / Improvements

• Improve format of EPSS score and percentile
  • Before:

    EPSS Score      : 0.000440
    EPSS Percentile : 0.092510
    

  • After:

    EPSS Score      : 0.04%
    EPSS Percentile : 9th percentile
    

• Fix cves command when used to analyse a local file system with a markdown output

Contributors

Highlights

• Allow to specify format (json, list, spdx) and output file on sbom command

  uses: docker/scout-action@v1
  with:
      command: sbom
      image: alpine
      format: list
      output: alpine_package_list.txt
  

Bug Fixes / Improvements

• Fix adding attestation (like vex statements) to a private image
• fix image processing for scratch "images"
• Add classifier for Joomla

Contributors

Bug Fix

Fix epoch handling for rpm-based images

Contributor(s)

Bug Fixes / Improvements

• improve package detection to ignore referenced but not installed packages

Contributors

Bug Fixes / Improvements

• fix an issue when rendering markdown output using sbom:// prefix

Contributors

Highlights

• Add support for passing in SBOM files in SDPX or in-toto SDPX format

  uses: docker/scout-action@v1
  with:
      command: cves
      image: sbom://alpine.spdx.json
  

• Add support for SBOM files in syft-json format

  uses: docker/scout-action@v1
  with:
      command: cves
      image: sbom://alpine.syft.json
  

Bug Fixes / Improvements

• Fix panic when indexing single image oci-dir input
• Improve local attestation support with the containerd image store

Contributors

General bug fixes and performance improvements

What's Changed

• Fix panic on single image oci-dir input by @cdupuis

Highlights

• Cache SBOM and attestations using the image index digest if exists
• Add file hashes/digest when generating SBOMs
• Upgrade syft to 0.105.0
• Support local attestations from a containerd image store or OCI export

Bug fixes / Improvements

• fix reading SBOM for gcr.io/distroless images
• read distribution in SBOM from attestations

These notes include changes part of v1.4.0

Highlights

• Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557)
• Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912
• Support cosign SBOM attestations
• Support for VEX in-toto attestations

Bug fixes / Improvements

• Fix platform detection when an image index contains linux/arm64/v8 but the local platform is only linux/arm64
• Fix display of the base image in case the base image is not indexed by docker scout but defined in the provenance attestation (for private or non Docker Trusted Content base images)
  Affects quickview and recommendations commands
• Fix panic when an SBOM contains no packages
  Especially when using docker scout to analyse local file system, for instance using docker scout cves fs://.
• Bump Syft to 102 to fix golang Purl with subpath
• Add support for subpaths in PURLs
  For instance an image containing both packages github.com/gofiber/template and github.com/gofiber/template/django/v3, previously the two packages were visible under the same github.com/gofiber/template name. Now both of them are correctly identified

• Update syft to v0.100.0
• Support in-toto envelope layer in attestations
• Improve display of policy results in case of a boolean policy

What's Changed

• Fix link rendering growing the column by @cdupuis
• No cache and docs by @cdupuis
• Add correlation headers by @cdupuis
• Allow to pass in additional SBOM catalogers by @cdupuis
• Add No Data link for SonarQube policy by @felipecruz91
• Policy fixes by @cdupuis

What's Changed

• Display configurable policy names by @felipecruz91
• Add support for writing SDPX and CycloneDx to file by @cdupuis
• Support ACR in docker scout repo commands by @velll
• Docs cli reference refresh by @dvdksn