scout-cli

Highlights

• Add --only-policy filter option to quickview, policy and compare commands.
• Add --ignore-suppressed filter option to cves and quickview commands to filter out CVEs affected by Scout suppressions.

Bug Fixes / Improvements

• Use conditional policy name in checks.
• Enable detection golang main module via ldflags.

Contributors

Highlights

• Only display vulnerabilities from the base image:

  $ docker scout cves --only-base IMAGE
  

• Account for VEX in quickview command.

  $ docker scout quickview IMAGE --only-vex-affected --vex-location ./path/to/my.vex.json
  

  uses: docker/scout-action@v1
  with:
    command: quickview
    image: [IMAGE]
    only-vex-affected: true
    vex-location: ./path/to/my.vex.json
  

• Account for VEX in cves command (GitHub Actions).

  uses: docker/scout-action@v1
  with:
    command: cves
    image: [IMAGE]
    only-vex-affected: true
    vex-location: ./path/to/my.vex.json
  

Bug Fixes / Improvements

• Update github.com/docker/docker to v26.1.5+incompatible to fix CVE-2024-41110.
• Update syft to 1.10.0.

Contributors

Highlights

• Filter CVEs listed in the CISA Known Exploited Vulnerabilities catalog.

  $ docker scout cves [IMAGE] --only-cisa-kev
  
  ... (cropped output) ...
  ## Packages and Vulnerabilities
  
  0C     1H     0M     0L  io.netty/netty-codec-http2 4.1.97.Final
  pkg:maven/io.netty/[email protected]
  
  ✗ HIGH CVE-2023-44487  CISA KEV  [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
    https://scout.docker.com/v/CVE-2023-44487
    Affected range  : <4.1.100
    Fixed version   : 4.1.100.Final
    CVSS Score      : 7.5
    CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  ... (cropped output) ...
  

• Add --dry-run flag for docker scout push command to not push the image but process it.

• Switch to Scout v2 manifest format (application/vnd.scout.manifest.v2+json) using base64-encoded objects.

• Add new binary classifiers for spiped, swift, eclipse-mosquitto and znc.

Bug Fixes / Improvements

• Allow VEX matching when no subcomponents.
• Fix panic when attaching an invalid VEX document.
• Fix SPDX document root.
• Fix base image detection when image uses SCRATCH as the base image.

Contributors

Bug Fixes / Improvements

• Add new classifiers for irssi, Backdrop, CrateDB CLI (Crash), monica, Openliberty, dumb-init, friendica, redmine
• Fix whitespace only originator on package breaking buildkit exporters
• Fix parsing image references in SPDX statement for images with a digest
• Support sbom:// prefix for image comparison

  $ docker scout compare sbom://image1.json --to sbom://image2.json
  

Contributors

Bug Fixes

• Fix a panic while retrieving cached SBOM

Contributor

Highlights

• Add support for the GitLab container scanning file format with --format gitlab on docker scout cves command
  Here is a pipeline example:

     docker-build:
    # Use the official docker image.
    image: docker:cli
    stage: build
    services:
      - docker:dind
    variables:
      DOCKER_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
    before_script:
      - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
         
      # Install curl and the Docker Scout CLI
      - |
        apk add --update curl
        curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- 
        apk del curl 
        rm -rf /var/cache/apk/* 
      # Login to Docker Hub required for Docker Scout CLI
      - echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin
  
    # All branches are tagged with $DOCKER_IMAGE_NAME (defaults to commit ref slug)
    # Default branch is also tagged with `latest`
    script:
      - docker buildx b --pull -t "$DOCKER_IMAGE_NAME" .
      - docker scout cves "$DOCKER_IMAGE_NAME" --format gitlab --output gl-container-scanning-report.json
      - docker push "$DOCKER_IMAGE_NAME"
      - |
        if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
          docker tag "$DOCKER_IMAGE_NAME" "$CI_REGISTRY_IMAGE:latest"
          docker push "$CI_REGISTRY_IMAGE:latest"
        fi
    # Run this job in a branch where a Dockerfile exists
    rules:
      - if: $CI_COMMIT_BRANCH
        exists:
          - Dockerfile
    artifacts:
      reports:
        container_scanning: gl-container-scanning-report.json
  

Bug Fixes / Improvements

• Support single arch images for docker scout attest add command
• Indicate if an image provenance has not been created using max mode on docker scout quickview and docker scout recommendations commands.
  Without max mode, base image might be auto-detected and might result in less accurate results.

Contributors

Bug Fixes / Improvements

• Improve format of EPSS score and percentile
  • Before:

    EPSS Score      : 0.000440
    EPSS Percentile : 0.092510
    

  • After:

    EPSS Score      : 0.04%
    EPSS Percentile : 9th percentile
    

• Fix cves command when used to analyse a local file system with a markdown output. See https://github.com/docker/scout-cli/issues/113

Contributors

Highlights

• docker scout push command: index an image then push the resulting SBOM to Docker Scout

Bug Fixes / Improvements

• Fix adding attestation (like vex statements) to a private image
• fix image processing for scratch "images"
• docker scout sbom:// can read Scout's SBOM

  $ docker scout sbom IMAGE | docker scout qv sbom://
  

• Add classifier for Joomla

Contributors

Bug Fix

Fix epoch handling for rpm-based images

Contributor(s)

Bug Fixes / Improvements

• improve package detection to ignore referenced but not installed packages

Contributors

Highlights

• EPSS data are now fetch backend side so the CLI doesn't need anymore to fetch them locally.
  In comparison to v1.6.0 --epss-date parameter has been removed and docker scout cache prune --epss has been removed.

Bug Fixes / Improvements

• fix an issue when rendering markdown output using sbom:// prefix

Contributors

Highlights

• Add support for passing in SBOM files in SDPX or in-toto SDPX format

  $ docker scout cves sbom://path/to/sbom.spdx.json
  

• Add support for SBOM files in syft-json format

  $ docker scout cves sbom://path/to/sbom.syft.json
  

• Reads sbom files from the standard input

  $ syft -o json alpine | docker scout cves sbom://
  

• Prioritise CVEs by EPSS score
  • --epss to display and prioritise the CVEs
  • --epss-score and --epss-percentile to filter by score and percentile
  • prune cached EPSS files with

    $ docker scout cache prune --epss
    

• Use Windows cache from WSL2
  When inside WSL2 with Docker Desktop running, the docker scout CLI will now use the cache from Windows side. That way if an image has been indexed for instance by Docker Desktop there's no need anymore to re-index it on WSL2 side.

Bug Fixes / Improvements

• Fix panic when indexing single image oci-dir input
• Improve local attestation support with the containerd image store

Contributors

General bug fixes and performance improvements

What's Changed

• Fix panic on single image oci-dir input by @cdupuis

Highlights

• Cache SBOM and attestations using the image index digest if exists
• Add file hashes/digest when generating SBOMs
• Upgrade syft to 0.105.0
• Process OpenVEX document before attaching to image to move subcomponents into product, product into subject
• Support local attestations from a containerd image store or OCI export

Bug fixes / Improvements

• fix reading SBOM for gcr.io/distroless images
• read distribution in SBOM from attestations
• fix docker scout push with an image reference containing a prefix like registry://

These notes include changes part of v1.4.0

Highlights

• Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557)
• Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912
• Support cosign SBOM attestations
• Support for VEX in-toto attestations

Bug fixes / Improvements

• Fix order and case of details column headers in the policy deviation details tables
• Fix platform detection when an image index contains linux/arm64/v8 but the local platform is only linux/arm64
• Fix display of the base image in case the base image is not indexed by docker scout but defined in the provenance attestation (for private or non Docker Trusted Content base images)
  Affects quickview and recommendations commands
• Fix panic when an SBOM contains no packages
  Especially when using docker scout to analyse local file system, for instance using docker scout cves fs://.
• Bump Syft to 0.103.1 to fix golang Purl with subpath
• Add support for subpaths in PURLs
  For instance an image containing both packages github.com/gofiber/template and github.com/gofiber/template/django/v3, previously the two packages were visible under the same github.com/gofiber/template name. Now both of them are correctly identified
• Remove query strings from title in rendered hyperlinks

• Update syft to v0.100.0
• Support in-toto envelope layer in attestations
• Improve display of policy results in case of a boolean policy
  See for instance with a policy to ensure non root user is defined in the image:
  

What's Changed

• Fix link rendering growing the column by @cdupuis
• No cache and docs by @cdupuis
• Add correlation headers by @cdupuis
• Allow to pass in additional SBOM catalogers by @cdupuis
• Add No Data link for SonarQube policy by @felipecruz91
• Policy fixes by @cdupuis

What's Changed

• #75: Use cache dir env var for writing and reading by @cdupuis

What's Changed

• Display configurable policy names by @felipecruz91
• Add support for writing SDPX and CycloneDx to file by @cdupuis
• Support ACR in docker scout repo commands by @velll
• Docs cli reference refresh by @dvdksn