diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout.yaml
index 8dbe2951d677..37b012fa4845 100644
--- a/_vendor/github.com/docker/scout-cli/docs/docker_scout.yaml
+++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout.yaml
@@ -20,6 +20,7 @@ cname:
- docker scout recommendations
- docker scout repo
- docker scout version
+ - docker scout vex
- docker scout watch
clink:
- docker_scout_attestation.yaml
@@ -37,6 +38,7 @@ clink:
- docker_scout_recommendations.yaml
- docker_scout_repo.yaml
- docker_scout_version.yaml
+ - docker_scout_vex.yaml
- docker_scout_watch.yaml
options:
- option: debug
diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation.yaml
index cbe04ad0a23c..87f7211eb89c 100644
--- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation.yaml
+++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation.yaml
@@ -1,13 +1,17 @@
command: docker scout attestation
aliases: docker scout attestation, docker scout attest
-short: Manage attestations on image indexes
-long: Manage attestations on image indexes
+short: Manage attestations on images
+long: Manage attestations on images
pname: docker scout
plink: docker_scout.yaml
cname:
- docker scout attestation add
+ - docker scout attestation get
+ - docker scout attestation list
clink:
- docker_scout_attestation_add.yaml
+ - docker_scout_attestation_get.yaml
+ - docker_scout_attestation_list.yaml
inherited_options:
- option: debug
value_type: bool
diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_get.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_get.yaml
new file mode 100644
index 000000000000..94541b541e1d
--- /dev/null
+++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_get.yaml
@@ -0,0 +1,123 @@
+command: docker scout attestation get
+aliases: docker scout attestation get, docker scout attest get
+short: Get attestation for image
+long: The docker scout attestation get command gets attestations for images.
+usage: docker scout attestation get OPTIONS IMAGE [DIGEST]
+pname: docker scout attestation
+plink: docker_scout_attestation.yaml
+options:
+ - option: key
+ value_type: string
+ default_value: https://registry.scout.docker.com/keyring/dhi/latest.pub
+ description: Signature key to use for verification
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: org
+ value_type: string
+ description: Namespace of the Docker organization
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: output
+ shorthand: o
+ value_type: string
+ description: Write the report to a file
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: platform
+ value_type: string
+ description: Platform of image to analyze
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: predicate
+ value_type: bool
+ default_value: "false"
+ description: Get in-toto predicate only dropping the subject
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: predicate-type
+ value_type: string
+ description: Predicate-type for attestation
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: ref
+ value_type: string
+ description: |-
+ Reference to use if the provided tarball contains multiple references.
+ Can only be used with archive
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: skip-tlog
+ value_type: bool
+ default_value: "false"
+ description: Skip signature verification against public transaction log
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verify
+ value_type: bool
+ default_value: "false"
+ description: Verify the signature on the attestation
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+inherited_options:
+ - option: debug
+ value_type: bool
+ default_value: "false"
+ description: Debug messages
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verbose-debug
+ value_type: bool
+ default_value: "false"
+ description: Verbose debug
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+deprecated: false
+experimental: false
+experimentalcli: true
+kubernetes: false
+swarm: false
+
diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_list.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_list.yaml
new file mode 100644
index 000000000000..429369d5a012
--- /dev/null
+++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_list.yaml
@@ -0,0 +1,96 @@
+command: docker scout attestation list
+aliases: docker scout attestation list, docker scout attest list
+short: List attestations for image
+long: The docker scout attestation list command lists attestations for images.
+usage: docker scout attestation list OPTIONS IMAGE
+pname: docker scout attestation
+plink: docker_scout_attestation.yaml
+options:
+ - option: format
+ value_type: string
+ default_value: list
+ description: |-
+ Output format:
+ - list: list of attestations of the image
+ - json: json representation of the attestation list (default "json")
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: org
+ value_type: string
+ description: Namespace of the Docker organization
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: output
+ shorthand: o
+ value_type: string
+ description: Write the report to a file
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: platform
+ value_type: string
+ description: Platform of image to analyze
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: predicate-type
+ value_type: string
+ description: Predicate-type for attestations
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: ref
+ value_type: string
+ description: |-
+ Reference to use if the provided tarball contains multiple references.
+ Can only be used with archive
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+inherited_options:
+ - option: debug
+ value_type: bool
+ default_value: "false"
+ description: Debug messages
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verbose-debug
+ value_type: bool
+ default_value: "false"
+ description: Verbose debug
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+deprecated: false
+experimental: false
+experimentalcli: true
+kubernetes: false
+swarm: false
+
diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_compare.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_compare.yaml
index efd7ecdf8131..dfcb4ccc74c8 100644
--- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_compare.yaml
+++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_compare.yaml
@@ -95,6 +95,17 @@ options:
experimentalcli: false
kubernetes: false
swarm: false
+ - option: ignore-suppressed
+ value_type: bool
+ default_value: "false"
+ description: |
+ Filter CVEs found in Scout exceptions based on the specified exception scope
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
- option: ignore-unchanged
value_type: bool
default_value: "false"
@@ -177,6 +188,16 @@ options:
experimentalcli: false
kubernetes: false
swarm: false
+ - option: only-vex-affected
+ value_type: bool
+ default_value: "false"
+ description: Filter CVEs by VEX statements with status not affected
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
- option: org
value_type: string
description: Namespace of the Docker organization
@@ -264,6 +285,36 @@ options:
experimentalcli: false
kubernetes: false
swarm: false
+ - option: vex
+ value_type: bool
+ default_value: "false"
+ description: Apply VEX statements to filter CVEs
+ deprecated: true
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: vex-author
+ value_type: stringSlice
+ default_value: '[<.*@docker.com>]'
+ description: List of VEX statement authors to accept
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: vex-location
+ value_type: stringSlice
+ default_value: '[]'
+ description: File location of directory or file containing VEX statements
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
inherited_options:
- option: debug
value_type: bool
diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml
index eaef8f8a1b7b..d7bd9bcaf245 100644
--- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml
+++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml
@@ -359,7 +359,7 @@ options:
swarm: false
- option: vex-author
value_type: stringSlice
- default_value: '[]'
+ default_value: '[<.*@docker.com>]'
description: List of VEX statement authors to accept
deprecated: false
hidden: false
diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_quickview.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_quickview.yaml
index 4810146b37a4..1ff9869c5a32 100644
--- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_quickview.yaml
+++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_quickview.yaml
@@ -147,7 +147,7 @@ options:
swarm: false
- option: vex-author
value_type: stringSlice
- default_value: '[]'
+ default_value: '[<.*@docker.com>]'
description: List of VEX statement authors to accept
deprecated: false
hidden: false
diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex.yaml
new file mode 100644
index 000000000000..f6e9444a50d7
--- /dev/null
+++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex.yaml
@@ -0,0 +1,37 @@
+command: docker scout vex
+aliases: docker scout vex, docker scout vex
+short: Manage VEX attestations on images
+long: Manage VEX attestations on images
+pname: docker scout
+plink: docker_scout.yaml
+cname:
+ - docker scout vex get
+clink:
+ - docker_scout_vex_get.yaml
+inherited_options:
+ - option: debug
+ value_type: bool
+ default_value: "false"
+ description: Debug messages
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verbose-debug
+ value_type: bool
+ default_value: "false"
+ description: Verbose debug
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+deprecated: false
+experimental: false
+experimentalcli: true
+kubernetes: false
+swarm: false
+
diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex_get.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex_get.yaml
new file mode 100644
index 000000000000..0578806662e1
--- /dev/null
+++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex_get.yaml
@@ -0,0 +1,103 @@
+command: docker scout vex get
+short: Get VEX attestation for image
+long: The docker scout vex get command gets a VEX attestation for images.
+usage: docker scout vex get OPTIONS IMAGE
+pname: docker scout vex
+plink: docker_scout_vex.yaml
+options:
+ - option: key
+ value_type: string
+ default_value: https://registry.scout.docker.com/keyring/dhi/latest.pub
+ description: Signature key to use for verification
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: org
+ value_type: string
+ description: Namespace of the Docker organization
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: output
+ shorthand: o
+ value_type: string
+ description: Write the report to a file
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: platform
+ value_type: string
+ description: Platform of image to analyze
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: ref
+ value_type: string
+ description: |-
+ Reference to use if the provided tarball contains multiple references.
+ Can only be used with archive
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: skip-tlog
+ value_type: bool
+ default_value: "false"
+ description: Skip signature verification against public transaction log
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verify
+ value_type: bool
+ default_value: "false"
+ description: Verify the signature on the attestation
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+inherited_options:
+ - option: debug
+ value_type: bool
+ default_value: "false"
+ description: Debug messages
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verbose-debug
+ value_type: bool
+ default_value: "false"
+ description: Verbose debug
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+deprecated: false
+experimental: false
+experimentalcli: true
+kubernetes: false
+swarm: false
+
diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_watch.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_watch.yaml
index 30b6dbef4718..2d5368c5105a 100644
--- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_watch.yaml
+++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_watch.yaml
@@ -1,9 +1,8 @@
command: docker scout watch
short: |
Watch repositories in a registry and push images and indexes to Docker Scout (experimental)
-long: |-
- The `docker scout watch` command watches repositories in a registry
- and pushes images or analysis results to Docker Scout.
+long: |
+ The docker scout watch command watches repositories in a registry and pushes images or image indexes to Docker Scout.
usage: docker scout watch
pname: docker scout
plink: docker_scout.yaml
@@ -129,30 +128,7 @@ inherited_options:
experimentalcli: false
kubernetes: false
swarm: false
-examples: |-
- ### Watch for new images from two repositories and push them
-
- ```console
- $ docker scout watch --org my-org --repository registry-1.example.com/repo-1 --repository registry-2.example.com/repo-2
- ```
-
- ### Only push images with a specific tag
-
- ```console
- $ docker scout watch --org my-org --repository registry.example.com/my-service --tag latest
- ```
-
- ### Watch all repositories of a registry
-
- ```console
- $ docker scout watch --org my-org --registry registry.example.com
- ```
-
- ### Push all images and not just the new ones
-
- ```console
- $ docker scout watch--org my-org --repository registry.example.com/my-service --all-images
- ```
+examples: " Watch for new images from two repositories and push them\n $ docker scout watch --org my-org --repository registry-1.example.com/repo-1 --repository registry-2.example.com/repo-2\e[0m\n\n Only push images with a specific tag\n $ docker scout watch --org my-org --repository registry.example.com/my-service --tag latest\e[0m\n\n Watch all repositories of a registry\n $ docker scout watch --org my-org --registry registry.example.com\e[0m\n\n Push all images and not just the new ones\n $ docker scout watch --org my-org --repository registry.example.com/my-service --all-images\e[0m"
deprecated: false
experimental: false
experimentalcli: true
diff --git a/_vendor/github.com/docker/scout-cli/docs/scout.md b/_vendor/github.com/docker/scout-cli/docs/scout.md
index aeac72b4c6d1..8b9b9e25f974 100644
--- a/_vendor/github.com/docker/scout-cli/docs/scout.md
+++ b/_vendor/github.com/docker/scout-cli/docs/scout.md
@@ -11,7 +11,7 @@ Command line tool for Docker Scout
| Name | Description |
|:--------------------------------------------------------------|:--------------------------------------------------------------------------------------------|
-| [`attestation`](scout_attestation.md) | Manage attestations on image indexes |
+| [`attestation`](scout_attestation.md) | Manage attestations on images |
| [`cache`](scout_cache.md) | Manage Docker Scout cache and temporary files |
| [`compare`](scout_compare.md) | Compare two images and display differences (experimental) |
| [`config`](scout_config.md) | Manage Docker Scout configuration |
@@ -29,6 +29,7 @@ Command line tool for Docker Scout
| [`sbom`](scout_sbom.md) | Generate or display SBOM of an image |
| [`stream`](scout_stream.md) | Manage streams (experimental) |
| [`version`](scout_version.md) | Show Docker Scout version information |
+| [`vex`](scout_vex.md) | Manage VEX attestations on images |
| [`watch`](scout_watch.md) | Watch repositories in a registry and push images and indexes to Docker Scout (experimental) |
diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_attestation.md b/_vendor/github.com/docker/scout-cli/docs/scout_attestation.md
index d4f6bc58277e..dc32a6b306ce 100644
--- a/_vendor/github.com/docker/scout-cli/docs/scout_attestation.md
+++ b/_vendor/github.com/docker/scout-cli/docs/scout_attestation.md
@@ -1,7 +1,7 @@
# docker scout attestation
-Manage attestations on image indexes
+Manage attestations on images
### Aliases
@@ -9,9 +9,11 @@ Manage attestations on image indexes
### Subcommands
-| Name | Description |
-|:----------------------------------|:-------------------------|
-| [`add`](scout_attestation_add.md) | Add attestation to image |
+| Name | Description |
+|:------------------------------------|:----------------------------|
+| [`add`](scout_attestation_add.md) | Add attestation to image |
+| [`get`](scout_attestation_get.md) | Get attestation for image |
+| [`list`](scout_attestation_list.md) | List attestations for image |
diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_attestation_get.md b/_vendor/github.com/docker/scout-cli/docs/scout_attestation_get.md
new file mode 100644
index 000000000000..0c98a6b0233b
--- /dev/null
+++ b/_vendor/github.com/docker/scout-cli/docs/scout_attestation_get.md
@@ -0,0 +1,26 @@
+# docker scout attestation get
+
+
+Get attestation for image
+
+### Aliases
+
+`docker scout attestation get`, `docker scout attest get`
+
+### Options
+
+| Name | Type | Default | Description |
+|:-------------------|:---------|:-----------------------------------------------------------|:--------------------------------------------------------------------------------------------------------|
+| `--key` | `string` | `https://registry.scout.docker.com/keyring/dhi/latest.pub` | Signature key to use for verification |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--predicate` | | | Get in-toto predicate only dropping the subject |
+| `--predicate-type` | `string` | | Predicate-type for attestation |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+| `--skip-tlog` | | | Skip signature verification against public transaction log |
+| `--verify` | | | Verify the signature on the attestation |
+
+
+
+
diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_attestation_list.md b/_vendor/github.com/docker/scout-cli/docs/scout_attestation_list.md
new file mode 100644
index 000000000000..06b33e172a39
--- /dev/null
+++ b/_vendor/github.com/docker/scout-cli/docs/scout_attestation_list.md
@@ -0,0 +1,23 @@
+# docker scout attestation list
+
+
+List attestations for image
+
+### Aliases
+
+`docker scout attestation list`, `docker scout attest list`
+
+### Options
+
+| Name | Type | Default | Description |
+|:-------------------|:---------|:--------|:------------------------------------------------------------------------------------------------------------------------------------|
+| `--format` | `string` | `list` | Output format:
- list: list of attestations of the image
- json: json representation of the attestation list (default "json") |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--predicate-type` | `string` | | Predicate-type for attestations |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+
+
+
+
diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_compare.md b/_vendor/github.com/docker/scout-cli/docs/scout_compare.md
index 569dab660df6..0461896b92f3 100644
--- a/_vendor/github.com/docker/scout-cli/docs/scout_compare.md
+++ b/_vendor/github.com/docker/scout-cli/docs/scout_compare.md
@@ -9,28 +9,32 @@ Compare two images and display differences (experimental)
### Options
-| Name | Type | Default | Description |
-|:----------------------|:--------------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `-x`, `--exit-on` | `stringSlice` | | Comma separated list of conditions to fail the action step if worse or changed, options are: vulnerability, policy, package |
-| `--format` | `string` | `text` | Output format of the generated vulnerability report:
- text: default output, plain text with or without colors depending on the terminal
- markdown: Markdown output
|
-| `--hide-policies` | | | Hide policy status from the output |
-| `--ignore-base` | | | Filter out CVEs introduced from base image |
-| `--ignore-unchanged` | | | Filter out unchanged packages |
-| `--multi-stage` | | | Show packages from multi-stage Docker builds |
-| `--only-fixed` | | | Filter to fixable CVEs |
-| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
-| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
-| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
-| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
-| `--only-unfixed` | | | Filter to unfixed CVEs |
-| `--org` | `string` | | Namespace of the Docker organization |
-| `-o`, `--output` | `string` | | Write the report to a file |
-| `--platform` | `string` | | Platform of image to analyze |
-| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
-| `--to` | `string` | | Image, directory, or archive to compare to |
-| `--to-env` | `string` | | Name of environment to compare to |
-| `--to-latest` | | | Latest image processed to compare to |
-| `--to-ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive. |
+| Name | Type | Default | Description |
+|:----------------------|:--------------|:--------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `-x`, `--exit-on` | `stringSlice` | | Comma separated list of conditions to fail the action step if worse or changed, options are: vulnerability, policy, package |
+| `--format` | `string` | `text` | Output format of the generated vulnerability report:
- text: default output, plain text with or without colors depending on the terminal
- markdown: Markdown output
|
+| `--hide-policies` | | | Hide policy status from the output |
+| `--ignore-base` | | | Filter out CVEs introduced from base image |
+| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
+| `--ignore-unchanged` | | | Filter out unchanged packages |
+| `--multi-stage` | | | Show packages from multi-stage Docker builds |
+| `--only-fixed` | | | Filter to fixable CVEs |
+| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
+| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
+| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
+| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
+| `--only-unfixed` | | | Filter to unfixed CVEs |
+| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+| `--to` | `string` | | Image, directory, or archive to compare to |
+| `--to-env` | `string` | | Name of environment to compare to |
+| `--to-latest` | | | Latest image processed to compare to |
+| `--to-ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive. |
+| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept |
+| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_cves.md b/_vendor/github.com/docker/scout-cli/docs/scout_cves.md
index bdb7f82921d0..e6fd689c1ed3 100644
--- a/_vendor/github.com/docker/scout-cli/docs/scout_cves.md
+++ b/_vendor/github.com/docker/scout-cli/docs/scout_cves.md
@@ -9,37 +9,37 @@ Display CVEs identified in a software artifact
### Options
-| Name | Type | Default | Description |
-|:-----------------------|:--------------|:-----------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `--details` | | | Print details on default text output |
-| `--env` | `string` | | Name of environment |
-| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score |
-| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) |
-| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) |
-| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected |
-| `--format` | `string` | `packages` | Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- gitlab: json GitLab output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
|
-| `--ignore-base` | | | Filter out CVEs introduced from base image |
-| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
-| `--locations` | | | Print package locations including file paths and layer diff_id |
-| `--multi-stage` | | | Show packages from multi-stage Docker builds |
-| `--only-base` | | | Only show CVEs introduced by the base image |
-| `--only-cisa-kev` | | | Filter to CVEs listed in the CISA KEV catalog |
-| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for |
-| `--only-fixed` | | | Filter to fixable CVEs |
-| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by |
-| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by |
-| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
-| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
-| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
-| `--only-unfixed` | | | Filter to unfixed CVEs |
-| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
-| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities |
-| `--org` | `string` | | Namespace of the Docker organization |
-| `-o`, `--output` | `string` | | Write the report to a file |
-| `--platform` | `string` | | Platform of image to analyze |
-| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
-| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept |
-| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
+| Name | Type | Default | Description |
+|:-----------------------|:--------------|:--------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `--details` | | | Print details on default text output |
+| `--env` | `string` | | Name of environment |
+| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score |
+| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) |
+| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) |
+| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected |
+| `--format` | `string` | `packages` | Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- gitlab: json GitLab output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
|
+| `--ignore-base` | | | Filter out CVEs introduced from base image |
+| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
+| `--locations` | | | Print package locations including file paths and layer diff_id |
+| `--multi-stage` | | | Show packages from multi-stage Docker builds |
+| `--only-base` | | | Only show CVEs introduced by the base image |
+| `--only-cisa-kev` | | | Filter to CVEs listed in the CISA KEV catalog |
+| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for |
+| `--only-fixed` | | | Filter to fixable CVEs |
+| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by |
+| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by |
+| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
+| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
+| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
+| `--only-unfixed` | | | Filter to unfixed CVEs |
+| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
+| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept |
+| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_quickview.md b/_vendor/github.com/docker/scout-cli/docs/scout_quickview.md
index 3bf752a0cf9b..b7e139d93811 100644
--- a/_vendor/github.com/docker/scout-cli/docs/scout_quickview.md
+++ b/_vendor/github.com/docker/scout-cli/docs/scout_quickview.md
@@ -9,19 +9,19 @@ Quick overview of an image
### Options
-| Name | Type | Default | Description |
-|:----------------------|:--------------|:--------|:--------------------------------------------------------------------------------------------------------|
-| `--env` | `string` | | Name of the environment |
-| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
-| `--latest` | | | Latest indexed image |
-| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
-| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
-| `--org` | `string` | | Namespace of the Docker organization |
-| `-o`, `--output` | `string` | | Write the report to a file |
-| `--platform` | `string` | | Platform of image to analyze |
-| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
-| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept |
-| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
+| Name | Type | Default | Description |
+|:----------------------|:--------------|:--------------------|:--------------------------------------------------------------------------------------------------------|
+| `--env` | `string` | | Name of the environment |
+| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
+| `--latest` | | | Latest indexed image |
+| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
+| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept |
+| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_vex.md b/_vendor/github.com/docker/scout-cli/docs/scout_vex.md
new file mode 100644
index 000000000000..4ac3db0726bf
--- /dev/null
+++ b/_vendor/github.com/docker/scout-cli/docs/scout_vex.md
@@ -0,0 +1,19 @@
+# docker scout vex
+
+
+Manage VEX attestations on images
+
+### Aliases
+
+`docker scout vex`, `docker scout vex`
+
+### Subcommands
+
+| Name | Description |
+|:--------------------------|:------------------------------|
+| [`get`](scout_vex_get.md) | Get VEX attestation for image |
+
+
+
+
+
diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_vex_get.md b/_vendor/github.com/docker/scout-cli/docs/scout_vex_get.md
new file mode 100644
index 000000000000..b7c9623dd7e3
--- /dev/null
+++ b/_vendor/github.com/docker/scout-cli/docs/scout_vex_get.md
@@ -0,0 +1,20 @@
+# docker scout vex get
+
+
+Get VEX attestation for image
+
+### Options
+
+| Name | Type | Default | Description |
+|:-----------------|:---------|:-----------------------------------------------------------|:--------------------------------------------------------------------------------------------------------|
+| `--key` | `string` | `https://registry.scout.docker.com/keyring/dhi/latest.pub` | Signature key to use for verification |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+| `--skip-tlog` | | | Skip signature verification against public transaction log |
+| `--verify` | | | Verify the signature on the attestation |
+
+
+
+
diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_watch.md b/_vendor/github.com/docker/scout-cli/docs/scout_watch.md
index 2444ce3c430a..6fb14a197b96 100644
--- a/_vendor/github.com/docker/scout-cli/docs/scout_watch.md
+++ b/_vendor/github.com/docker/scout-cli/docs/scout_watch.md
@@ -49,5 +49,74 @@ $ docker scout watch --org my-org --registry registry.example.com
### Push all images and not just the new ones
```console
-$ docker scout watch--org my-org --repository registry.example.com/my-service --all-images
+$ docker scout watch --org my-org --repository registry.example.com/my-service --all-images
```
+
+### Configure Artifactory integration
+
+The following example creates a web hook endpoint for Artifactory to push new
+image events into:
+
+```console
+$ export DOCKER_SCOUT_ARTIFACTORY_API_USER=user
+$ export DOCKER_SCOUT_ARTIFACTORY_API_PASSWORD=password
+$ export DOCKER_SCOUT_ARTIFACTORY_WEBHOOK_SECRET=foo
+
+$ docker scout watch --registry "type=artifactory,registry=example.jfrog.io,api=https://example.jfrog.io/artifactory,include=*/frontend*,exclude=*/dta/*,repository=docker-local,port=9000,subdomain-mode=true" --refresh-registry
+```
+
+This will launch an HTTP server on port `9000` that will receive all `component` web
+hook events, optionally validating the HMAC signature.
+
+### Configure Harbor integration
+
+The following example creates a web hook endpoint for Harbor to push new image
+events into:
+
+```console
+$ export DOCKER_SCOUT_HARBOR_API_USER=admin
+$ export DOCKER_SCOUT_HARBOR_API_PASSWORD=password
+$ export DOCKER_SCOUT_HARBOR_WEBHOOK_AUTH="token foo"
+
+$ docker scout watch --registry 'type=harbor,registry=demo.goharbor.io,api=https://demo.goharbor.io,include=*/foo/*,exclude=*/bar/*,port=9000' --refresh-registry
+```
+
+This will launch an HTTP server on port `9000` that will receive all `component` web
+hook events, optionally validating the HMAC signature.
+
+### Configure Nexus integration
+
+The following example shows how to configure Sonartype Nexus integration:
+
+```console
+$ export DOCKER_SCOUT_NEXUS_API_USER=admin
+$ export DOCKER_SCOUT_NEXUS_API_PASSWORD=admin124
+
+$ docker scout watch --registry 'type=nexus,registry=localhost:8082,api=http://localhost:8081,include=*/foo/*,exclude=*/bar/*,"repository=docker-test1,docker-test2"' --refresh-registry
+```
+
+This ingests all images and tags in Nexus repositories called `docker-test1`
+and `docker-test2` that match the `*/foo/*` include and `*/bar/*` exclude glob
+pattern.
+
+You can also create a web hook endpoint for Nexus to push new image events into:
+
+```console
+$ export DOCKER_SCOUT_NEXUS_API_USER=admin
+$ export DOCKER_SCOUT_NEXUS_API_PASSWORD=admin124
+$ export DOCKER_SCOUT_NEXUS_WEBHOOK_SECRET=mysecret
+
+$ docker scout watch --registry 'type=nexus,registry=localhost:8082,api=http://localhost:8081,include=*/foo/*,exclude=*/bar/*,"repository=docker-test1,docker-test2",port=9000' --refresh-registry
+```
+
+This will launch an HTTP server on port `9000` that will receive all `component` web
+hook events, optionally validating the HMAC signature.
+
+## Configure integration for other OCI registries
+
+The following example shows how to integrate an OCI registry that implements the
+`_catalog` endpoint:
+
+```console
+$ docker scout watch --registry 'type=oci,registry=registry.example.com,include=*/scout-artifact-registry/*'
+```
\ No newline at end of file
diff --git a/_vendor/modules.txt b/_vendor/modules.txt
index becb4adff7a4..e48772ab3464 100644
--- a/_vendor/modules.txt
+++ b/_vendor/modules.txt
@@ -5,4 +5,4 @@
# github.com/docker/compose/v2 v2.39.4
# github.com/docker/model-cli v0.1.41
# github.com/docker/mcp-gateway v0.13.1-0.20250730013131-e08a3be84765
-# github.com/docker/scout-cli v1.18.1
+# github.com/docker/scout-cli v1.18.4
diff --git a/content/manuals/scout/release-notes/cli.md b/content/manuals/scout/release-notes/cli.md
index 9e3369add11c..58829b3cbdd2 100644
--- a/content/manuals/scout/release-notes/cli.md
+++ b/content/manuals/scout/release-notes/cli.md
@@ -9,6 +9,14 @@ This page contains information about the new features, improvements, known
issues, and bug fixes in the Docker Scout [CLI plugin](https://github.com/docker/scout-cli/)
and the `docker/scout-action` [GitHub Action](https://github.com/docker/scout-action).
+## 1.18.4
+
+{{< release-date date="2025-10-02" >}}
+
+### Bug fixes
+
+- VEX and SPDX fixes.
+
## 1.18.3
{{< release-date date="2025-08-13" >}}
diff --git a/content/reference/cli/docker/scout/attestation/get.md b/content/reference/cli/docker/scout/attestation/get.md
new file mode 100644
index 000000000000..9fc3e4b6c866
--- /dev/null
+++ b/content/reference/cli/docker/scout/attestation/get.md
@@ -0,0 +1,14 @@
+---
+datafolder: scout-cli
+datafile: docker_scout_attestation_get
+title: docker scout attestation get
+layout: cli
+---
+
+
\ No newline at end of file
diff --git a/content/reference/cli/docker/scout/attestation/list.md b/content/reference/cli/docker/scout/attestation/list.md
new file mode 100644
index 000000000000..a7deeadf5adb
--- /dev/null
+++ b/content/reference/cli/docker/scout/attestation/list.md
@@ -0,0 +1,14 @@
+---
+datafolder: scout-cli
+datafile: docker_scout_attestation_list
+title: docker scout attestation list
+layout: cli
+---
+
+
\ No newline at end of file
diff --git a/content/reference/cli/docker/scout/vex/_index.md b/content/reference/cli/docker/scout/vex/_index.md
new file mode 100644
index 000000000000..329dedcddf2f
--- /dev/null
+++ b/content/reference/cli/docker/scout/vex/_index.md
@@ -0,0 +1,14 @@
+---
+datafolder: scout-cli
+datafile: docker_scout_vex
+title: docker scout vex
+layout: cli
+---
+
+
\ No newline at end of file
diff --git a/content/reference/cli/docker/scout/vex/get.md b/content/reference/cli/docker/scout/vex/get.md
new file mode 100644
index 000000000000..8fcb66b633fd
--- /dev/null
+++ b/content/reference/cli/docker/scout/vex/get.md
@@ -0,0 +1,14 @@
+---
+datafolder: scout-cli
+datafile: docker_scout_vex_get
+title: docker scout vex get
+layout: cli
+---
+
+
\ No newline at end of file
diff --git a/go.mod b/go.mod
index 63c74a06153f..d86541e30fef 100644
--- a/go.mod
+++ b/go.mod
@@ -27,7 +27,7 @@ require (
github.com/docker/model-cli v0.1.41 // indirect
github.com/docker/model-distribution v0.0.0-20250918153037-7d9fc7b72b57 // indirect
github.com/docker/model-runner v0.0.0-20250911130340-38bb0171c947 // indirect
- github.com/docker/scout-cli v1.18.1 // indirect
+ github.com/docker/scout-cli v1.18.4 // indirect
github.com/elastic/go-sysinfo v1.15.3 // indirect
github.com/elastic/go-windows v1.0.2 // indirect
github.com/fatih/color v1.18.0 // indirect
@@ -114,7 +114,7 @@ replace (
github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.39.4
github.com/docker/docker => github.com/docker/docker v28.4.0+incompatible
github.com/docker/model-cli => github.com/docker/model-cli v0.1.41
- github.com/docker/scout-cli => github.com/docker/scout-cli v1.18.1
+ github.com/docker/scout-cli => github.com/docker/scout-cli v1.18.4
github.com/moby/buildkit => github.com/moby/buildkit v0.25.0
github.com/moby/moby => github.com/moby/moby v28.4.0+incompatible
)
diff --git a/go.sum b/go.sum
index 9830bd95b711..6fa87b90ee6a 100644
--- a/go.sum
+++ b/go.sum
@@ -142,6 +142,8 @@ github.com/docker/scout-cli v1.15.0 h1:VhA9niVftEyZ9f5KGwKnrSfQOp2X3uIU3VbE/gTVM
github.com/docker/scout-cli v1.15.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/docker/scout-cli v1.18.1 h1:snFodhV6xFJryxdUZ0ukPZFZZFnWAGLUuuPZGB3BOK8=
github.com/docker/scout-cli v1.18.1/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
+github.com/docker/scout-cli v1.18.4 h1:Td+SSA55WlD7gmrNaBe0imgfVzzQjlfb/prwBn9GOSw=
+github.com/docker/scout-cli v1.18.4/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/elastic/go-sysinfo v1.15.3 h1:W+RnmhKFkqPTCRoFq2VCTmsT4p/fwpo+3gKNQsn1XU0=
github.com/elastic/go-sysinfo v1.15.3/go.mod h1:K/cNrqYTDrSoMh2oDkYEMS2+a72GRxMvNP+GC+vRIlo=
github.com/elastic/go-windows v1.0.2 h1:yoLLsAsV5cfg9FLhZ9EXZ2n2sQFKeDYrHenkcivY4vI=