What's Changed

• fix comparison to environment (docker scout compare --to-env) by @eunomie
• raise error if docker scout environment without organization set by @eunomie

Highlights

File System Scanning

It's now possible to analyse and compare file system, in addition to images.

For instance to get a quick overview of the source code from the current folder

• docker scout quickview --type fs .

It's also possible to compare a local (non image) version to the same software embedded in an image.

• docker scout compare --type fs . --to namespace/repository:tag

For instance if you are building a Go service and you only want to see what has changed:

• docker scout compare --type fs . --to my/service:latest --only-package-type GoLang --ignore-unchanged

What's Changed

• Add support for scanning fs by @cdupuis
• fix: do not ask for an app name when recording to an environment by @eunomie
• Package namespace displayed in addition to the name by @eunomie
• improve help message if no configuration available by @eunomie

What's Changed

• fix: recommendations and base image when provenance attached by @eunomie #38

Highlights from v0.22.3

Cache and Temporary Files

You can know visualise the temporary and cached files generated by docker scout and delete them:

• docker scout cache df
  

• docker scout cache prune
  

Display Only Packages

docker scout cves has a new output format only-packages. It only displays the list of packages and for each their vulnerabilities.

This can be enhanced by adding other filters, for instance:

• --only-package-type golang
• --only-vuln-packages
  With that you have a very quick view of the packages you probably want to upgrade.

Environments

docker scout environment allows to list available environments, list images in an environment and record an image to an environment.

Namespace of Docker Organization

A new flag --org has been added to many commands. It allows to indicate the right namespace of the Docker organization you are using. It defines the context on scout.docker.com when you refer to non Hub images.

To make it easy, you can configure a default organization that will be used unless you specified --org. That way you configure it once and you're done.

Enroll Organization

Enroll your organization on Docker Scout directly from your CLI with docker scout enroll ORG

What's Changed

• remove uses of docker engine "internals" and fix broken mocks by @thaJeztah
• Update Go and go dependencies by @cdupuis
• go.mod: update github.com/docker/docker v24.0.5 to fix go1.20.6 compat by @thaJeztah
• feat: list and prune temporary and cache files by @eunomie
• feat: help user raising bugs and feature requests by @eunomie
• Add namespace to all DSO queries by @cdupuis
• feat: add only-packages output format for cves command by @eunomie
• feat: allow to configure the default namespace by @eunomie
• Initial version of VEX support by @cdupuis
• feat: display scout logo by @eunomie
• allow to filter out non vulnerable packages by @eunomie
• GHA namespace by @eunomie
• pick a logo that looks smoother by @eunomie
• Replace stream by environment by @eunomie
• ref: make DSO interface public by @eunomie
• feat: improve sbom caching by @eunomie
• Update syft 0.87.1 by @cdupuis
• fix: hint to docker scout cache prune by @eunomie
• improve login message to the user by @eunomie
• ref: rename namespace flag to org by @eunomie
• docs: namespace of the docker organization by @eunomie
• Check and enable repo on push if needed by @cdupuis
• Add enroll command by @cdupuis
• fix: org selection by @eunomie

⚠️ Please use v0.23.2 or newer instead of this one that contains an issue about organization described below

Highlights

Cache and Temporary Files

You can know visualise the temporary and cached files generated by docker scout and delete them:

• docker scout cache df
  

• docker scout cache prune
  

Display Only Packages

docker scout cves has a new output format only-packages. It only displays the list of packages and for each their vulnerabilities.

This can be enhanced by adding other filters, for instance:

• --only-package-type golang
• --only-vuln-packages
  With that you have a very quick view of the packages you probably want to upgrade.

Environments

docker scout environment allows to list available environments, list images in an environment and record an image to an environment.

Namespace of Docker Organization

A new flag --org has been added to many commands. It allows to indicate the right namespace of the Docker organization you are using. It defines the context on scout.docker.com when you refer to non Hub images.

To make it easy, you can configure a default organization that will be used unless you specified --org. That way you configure it once and you're done.

What's Changed

• remove uses of docker engine "internals" and fix broken mocks by @thaJeztah
• Update Go and go dependencies by @cdupuis
• go.mod: update github.com/docker/docker v24.0.5 to fix go1.20.6 compat by @thaJeztah
• feat: list and prune temporary and cache files by @eunomie
• feat: help user raising bugs and feature requests by @eunomie
• Add namespace to all DSO queries by @cdupuis
• feat: add only-packages output format for cves command by @eunomie
• feat: allow to configure the default namespace by @eunomie
• Initial version of VEX support by @cdupuis
• feat: display scout logo by @eunomie
• allow to filter out non vulnerable packages by @eunomie
• GHA namespace by @eunomie
• pick a logo that looks smoother by @eunomie
• Replace stream by environment by @eunomie
• ref: make DSO interface public by @eunomie
• feat: improve sbom caching by @eunomie
• Update syft 0.87.1 by @cdupuis
• fix: hint to docker scout cache prune by @eunomie
• improve login message to the user by @eunomie
• ref: rename namespace flag to org by @eunomie
• docs: namespace of the docker organization by @eunomie

What's Changed

• fix: markdown output of docker scout cves command by @eunomie

What's Changed

• Don't fail docker scout push when base image is unavailable by @cdupuis

What's Changed

• Allow docker scout push for local images by @cdupuis

What's Changed

• Add —stream to cves and quickview by @cdupuis
• Add repo url to version hint by @cdupuis
• GHA README: Add stream example by @mikeparker

New Contributors

• @mikeparker made their first contribution

What's changed

• Fix error handling with missing/invalid attestation by @cdupuis
• Use OSC 8 hyperlinks by @cdupuis
• Support for multi-stage SBOMs by @cdupuis