From bd0a846f257e49c8d4f6056b91aadac29270b017 Mon Sep 17 00:00:00 2001 From: David Karlsson <35727626+dvdksn@users.noreply.github.com> Date: Thu, 5 Sep 2024 15:54:50 +0200 Subject: [PATCH] scout: scores now based on org policy config Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/manuals/scout/policy/scores.md | 43 +++++++++++++------ .../manuals/scout/release-notes/platform.md | 13 ++++++ 2 files changed, 43 insertions(+), 13 deletions(-) diff --git a/content/manuals/scout/policy/scores.md b/content/manuals/scout/policy/scores.md index bc2a33b8bc60..6db833b35df8 100644 --- a/content/manuals/scout/policy/scores.md +++ b/content/manuals/scout/policy/scores.md @@ -51,18 +51,32 @@ along with each policy that contributed to the score. ## Scoring system -Health scores are determined by evaluating images against a set of Docker Scout +Health scores are determined by evaluating images against Docker Scout [policies](./_index.md). These policies align with best practices for the software supply chain and are recommended by Docker as foundational -standards for images. +standards for images. Some examples of these policies include: + +- **Supply chain attestations**: Images should have supply chain attestations. +- **No outdated base images**: Images should not use outdated base images. +- **No AGPL v3 licenses**: Images should not contain AGPL v3-licensed packages. + +If your image repositories are already enrolled with Docker Scout, the health +score is calculated automatically based on the policies that are enabled for +your organization. This also includes any custom policies that you have +configured. + +If you're not using Docker Scout, the health scores show the compliance of your +images with the default, [out-of-the-box policies](/manuals/scout/policy/_index.md#out-of-the-box-policies). +You can enable Docker Scout for your organization to get a more relevant health +score based on your specific policies. + +### Scoring process Each policy is assigned a points value. If the image is compliant with a policy, it is awarded the points value for that policy. The health score of an image is calculated based on the percentage of points achieved relative to the total possible points. -### Scoring process - 1. Policy compliance is evaluated for the image. 2. Points are awarded based on adherence to these policies. 3. The points achieved percentage is calculated: @@ -102,15 +116,18 @@ If you see an `N/A` score, consider the following: The policies that influence the score, and their respective weights, are as follows: -| Policy | Points | -| ---------------------------------------------------------------------------------------------------------- | ------ | -| [No fixable critical or high vulnerabilities](/scout/policy#no-fixable-critical-or-high-vulnerabilities) | 20 | -| [No high-profile vulnerabilities](/scout/policy#no-high-profile-vulnerabilities) | 20 | -| [Supply chain attestations](/scout/policy#supply-chain-attestations) | 15 | -| [No unapproved base images](/scout/policy/#no-unapproved-base-images) | 15 | -| [No outdated base images](/scout/policy#no-outdated-base-images) | 10 | -| [Default non-root user](/scout/policy#default-non-root-user) | 5 | -| [No AGPL v3 licenses](/manuals/scout/policy/_index.md#no-agpl-v3-licenses) | 5 | +| Policy | Points | +| -------------------------------------------------------------------------------------------------------------------------- | ------ | +| [No fixable critical or high vulnerabilities](/manuals/scout/policy/_index.md#no-fixable-critical-or-high-vulnerabilities) | 20 | +| [No high-profile vulnerabilities](/manuals/scout/policy/_index.md#no-high-profile-vulnerabilities) | 20 | +| [Supply chain attestations](/manuals/scout/policy/_index.md#supply-chain-attestations) | 15 | +| [No unapproved base images](/manuals/scout/policy/_index.md#no-unapproved-base-images) | 15 | +| [No outdated base images](/manuals/scout/policy/_index.md#no-outdated-base-images) | 10 | +| [SonarQube quality gates passed](/manuals/scout/policy/_index.md#sonarqube-quality-gates-passed) \* | 10 | +| [Default non-root user](/manuals/scout/policy/_index.md#default-non-root-user) | 5 | +| [No AGPL v3 licenses](/manuals/scout/policy/_index.md#no-agpl-v3-licenses) | 5 | + +\* _This policy is not enabled by default and must be configured by the user._ ### Evaluation diff --git a/content/manuals/scout/release-notes/platform.md b/content/manuals/scout/release-notes/platform.md index 1b79b3222e1a..929e60113e78 100644 --- a/content/manuals/scout/release-notes/platform.md +++ b/content/manuals/scout/release-notes/platform.md @@ -20,6 +20,19 @@ for what's coming next. New features and enhancements released in the third quarter of 2024. +### 2024-09-05 + +This release changes how [health scores](/manuals/scout/policy/scores.md) are +calculated in Docker Scout. The health score calculation now considers optional +and custom policies that you have configured for your organization. + +This means that if you have enabled, disabled, or customized any of the default +policies, Docker Scout will now take those policies into account when +calculating the health score for your organization's images. + +If you haven't yet enabled Docker Scout for your organization, the health score +calculation will be based on the out-of-the-box policies. + ### 2024-08-13 This release changes the out-of-the-box policies to align with the policy