From 2706ae5f8ac486617f3fc55687f271cb5c7a0f8c Mon Sep 17 00:00:00 2001 From: Craig Date: Thu, 2 Oct 2025 09:41:01 -0700 Subject: [PATCH] scout: update cli to 1.18.4 Signed-off-by: Craig --- .../docker/scout-cli/docs/docker_scout.yaml | 2 + .../docs/docker_scout_attestation.yaml | 8 +- .../docs/docker_scout_attestation_get.yaml | 123 ++++++++++++++++++ .../docs/docker_scout_attestation_list.yaml | 96 ++++++++++++++ .../scout-cli/docs/docker_scout_compare.yaml | 51 ++++++++ .../scout-cli/docs/docker_scout_cves.yaml | 2 +- .../docs/docker_scout_quickview.yaml | 2 +- .../scout-cli/docs/docker_scout_vex.yaml | 37 ++++++ .../scout-cli/docs/docker_scout_vex_get.yaml | 103 +++++++++++++++ .../scout-cli/docs/docker_scout_watch.yaml | 30 +---- .../github.com/docker/scout-cli/docs/scout.md | 3 +- .../scout-cli/docs/scout_attestation.md | 10 +- .../scout-cli/docs/scout_attestation_get.md | 26 ++++ .../scout-cli/docs/scout_attestation_list.md | 23 ++++ .../docker/scout-cli/docs/scout_compare.md | 48 +++---- .../docker/scout-cli/docs/scout_cves.md | 62 ++++----- .../docker/scout-cli/docs/scout_quickview.md | 26 ++-- .../docker/scout-cli/docs/scout_vex.md | 19 +++ .../docker/scout-cli/docs/scout_vex_get.md | 20 +++ .../docker/scout-cli/docs/scout_watch.md | 71 +++++++++- _vendor/modules.txt | 2 +- content/manuals/scout/release-notes/cli.md | 8 ++ .../cli/docker/scout/attestation/get.md | 14 ++ .../cli/docker/scout/attestation/list.md | 14 ++ .../reference/cli/docker/scout/vex/_index.md | 14 ++ content/reference/cli/docker/scout/vex/get.md | 14 ++ go.mod | 4 +- go.sum | 2 + 28 files changed, 728 insertions(+), 106 deletions(-) create mode 100644 _vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_get.yaml create mode 100644 _vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_list.yaml create mode 100644 _vendor/github.com/docker/scout-cli/docs/docker_scout_vex.yaml create mode 100644 _vendor/github.com/docker/scout-cli/docs/docker_scout_vex_get.yaml create mode 100644 _vendor/github.com/docker/scout-cli/docs/scout_attestation_get.md create mode 100644 _vendor/github.com/docker/scout-cli/docs/scout_attestation_list.md create mode 100644 _vendor/github.com/docker/scout-cli/docs/scout_vex.md create mode 100644 _vendor/github.com/docker/scout-cli/docs/scout_vex_get.md create mode 100644 content/reference/cli/docker/scout/attestation/get.md create mode 100644 content/reference/cli/docker/scout/attestation/list.md create mode 100644 content/reference/cli/docker/scout/vex/_index.md create mode 100644 content/reference/cli/docker/scout/vex/get.md diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout.yaml index 8dbe2951d677..37b012fa4845 100644 --- a/_vendor/github.com/docker/scout-cli/docs/docker_scout.yaml +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout.yaml @@ -20,6 +20,7 @@ cname: - docker scout recommendations - docker scout repo - docker scout version + - docker scout vex - docker scout watch clink: - docker_scout_attestation.yaml @@ -37,6 +38,7 @@ clink: - docker_scout_recommendations.yaml - docker_scout_repo.yaml - docker_scout_version.yaml + - docker_scout_vex.yaml - docker_scout_watch.yaml options: - option: debug diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation.yaml index cbe04ad0a23c..87f7211eb89c 100644 --- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation.yaml +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation.yaml @@ -1,13 +1,17 @@ command: docker scout attestation aliases: docker scout attestation, docker scout attest -short: Manage attestations on image indexes -long: Manage attestations on image indexes +short: Manage attestations on images +long: Manage attestations on images pname: docker scout plink: docker_scout.yaml cname: - docker scout attestation add + - docker scout attestation get + - docker scout attestation list clink: - docker_scout_attestation_add.yaml + - docker_scout_attestation_get.yaml + - docker_scout_attestation_list.yaml inherited_options: - option: debug value_type: bool diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_get.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_get.yaml new file mode 100644 index 000000000000..94541b541e1d --- /dev/null +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_get.yaml @@ -0,0 +1,123 @@ +command: docker scout attestation get +aliases: docker scout attestation get, docker scout attest get +short: Get attestation for image +long: The docker scout attestation get command gets attestations for images. +usage: docker scout attestation get OPTIONS IMAGE [DIGEST] +pname: docker scout attestation +plink: docker_scout_attestation.yaml +options: + - option: key + value_type: string + default_value: https://registry.scout.docker.com/keyring/dhi/latest.pub + description: Signature key to use for verification + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: org + value_type: string + description: Namespace of the Docker organization + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: output + shorthand: o + value_type: string + description: Write the report to a file + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: platform + value_type: string + description: Platform of image to analyze + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: predicate + value_type: bool + default_value: "false" + description: Get in-toto predicate only dropping the subject + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: predicate-type + value_type: string + description: Predicate-type for attestation + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: ref + value_type: string + description: |- + Reference to use if the provided tarball contains multiple references. + Can only be used with archive + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: skip-tlog + value_type: bool + default_value: "false" + description: Skip signature verification against public transaction log + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: verify + value_type: bool + default_value: "false" + description: Verify the signature on the attestation + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false +inherited_options: + - option: debug + value_type: bool + default_value: "false" + description: Debug messages + deprecated: false + hidden: true + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: verbose-debug + value_type: bool + default_value: "false" + description: Verbose debug + deprecated: false + hidden: true + experimental: false + experimentalcli: false + kubernetes: false + swarm: false +deprecated: false +experimental: false +experimentalcli: true +kubernetes: false +swarm: false + diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_list.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_list.yaml new file mode 100644 index 000000000000..429369d5a012 --- /dev/null +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_list.yaml @@ -0,0 +1,96 @@ +command: docker scout attestation list +aliases: docker scout attestation list, docker scout attest list +short: List attestations for image +long: The docker scout attestation list command lists attestations for images. +usage: docker scout attestation list OPTIONS IMAGE +pname: docker scout attestation +plink: docker_scout_attestation.yaml +options: + - option: format + value_type: string + default_value: list + description: |- + Output format: + - list: list of attestations of the image + - json: json representation of the attestation list (default "json") + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: org + value_type: string + description: Namespace of the Docker organization + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: output + shorthand: o + value_type: string + description: Write the report to a file + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: platform + value_type: string + description: Platform of image to analyze + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: predicate-type + value_type: string + description: Predicate-type for attestations + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: ref + value_type: string + description: |- + Reference to use if the provided tarball contains multiple references. + Can only be used with archive + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false +inherited_options: + - option: debug + value_type: bool + default_value: "false" + description: Debug messages + deprecated: false + hidden: true + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: verbose-debug + value_type: bool + default_value: "false" + description: Verbose debug + deprecated: false + hidden: true + experimental: false + experimentalcli: false + kubernetes: false + swarm: false +deprecated: false +experimental: false +experimentalcli: true +kubernetes: false +swarm: false + diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_compare.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_compare.yaml index efd7ecdf8131..dfcb4ccc74c8 100644 --- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_compare.yaml +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_compare.yaml @@ -95,6 +95,17 @@ options: experimentalcli: false kubernetes: false swarm: false + - option: ignore-suppressed + value_type: bool + default_value: "false" + description: | + Filter CVEs found in Scout exceptions based on the specified exception scope + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false - option: ignore-unchanged value_type: bool default_value: "false" @@ -177,6 +188,16 @@ options: experimentalcli: false kubernetes: false swarm: false + - option: only-vex-affected + value_type: bool + default_value: "false" + description: Filter CVEs by VEX statements with status not affected + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false - option: org value_type: string description: Namespace of the Docker organization @@ -264,6 +285,36 @@ options: experimentalcli: false kubernetes: false swarm: false + - option: vex + value_type: bool + default_value: "false" + description: Apply VEX statements to filter CVEs + deprecated: true + hidden: true + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: vex-author + value_type: stringSlice + default_value: '[<.*@docker.com>]' + description: List of VEX statement authors to accept + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: vex-location + value_type: stringSlice + default_value: '[]' + description: File location of directory or file containing VEX statements + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false inherited_options: - option: debug value_type: bool diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml index eaef8f8a1b7b..d7bd9bcaf245 100644 --- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml @@ -359,7 +359,7 @@ options: swarm: false - option: vex-author value_type: stringSlice - default_value: '[]' + default_value: '[<.*@docker.com>]' description: List of VEX statement authors to accept deprecated: false hidden: false diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_quickview.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_quickview.yaml index 4810146b37a4..1ff9869c5a32 100644 --- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_quickview.yaml +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_quickview.yaml @@ -147,7 +147,7 @@ options: swarm: false - option: vex-author value_type: stringSlice - default_value: '[]' + default_value: '[<.*@docker.com>]' description: List of VEX statement authors to accept deprecated: false hidden: false diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex.yaml new file mode 100644 index 000000000000..f6e9444a50d7 --- /dev/null +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex.yaml @@ -0,0 +1,37 @@ +command: docker scout vex +aliases: docker scout vex, docker scout vex +short: Manage VEX attestations on images +long: Manage VEX attestations on images +pname: docker scout +plink: docker_scout.yaml +cname: + - docker scout vex get +clink: + - docker_scout_vex_get.yaml +inherited_options: + - option: debug + value_type: bool + default_value: "false" + description: Debug messages + deprecated: false + hidden: true + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: verbose-debug + value_type: bool + default_value: "false" + description: Verbose debug + deprecated: false + hidden: true + experimental: false + experimentalcli: false + kubernetes: false + swarm: false +deprecated: false +experimental: false +experimentalcli: true +kubernetes: false +swarm: false + diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex_get.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex_get.yaml new file mode 100644 index 000000000000..0578806662e1 --- /dev/null +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_vex_get.yaml @@ -0,0 +1,103 @@ +command: docker scout vex get +short: Get VEX attestation for image +long: The docker scout vex get command gets a VEX attestation for images. +usage: docker scout vex get OPTIONS IMAGE +pname: docker scout vex +plink: docker_scout_vex.yaml +options: + - option: key + value_type: string + default_value: https://registry.scout.docker.com/keyring/dhi/latest.pub + description: Signature key to use for verification + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: org + value_type: string + description: Namespace of the Docker organization + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: output + shorthand: o + value_type: string + description: Write the report to a file + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: platform + value_type: string + description: Platform of image to analyze + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: ref + value_type: string + description: |- + Reference to use if the provided tarball contains multiple references. + Can only be used with archive + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: skip-tlog + value_type: bool + default_value: "false" + description: Skip signature verification against public transaction log + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: verify + value_type: bool + default_value: "false" + description: Verify the signature on the attestation + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false +inherited_options: + - option: debug + value_type: bool + default_value: "false" + description: Debug messages + deprecated: false + hidden: true + experimental: false + experimentalcli: false + kubernetes: false + swarm: false + - option: verbose-debug + value_type: bool + default_value: "false" + description: Verbose debug + deprecated: false + hidden: true + experimental: false + experimentalcli: false + kubernetes: false + swarm: false +deprecated: false +experimental: false +experimentalcli: true +kubernetes: false +swarm: false + diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_watch.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_watch.yaml index 30b6dbef4718..2d5368c5105a 100644 --- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_watch.yaml +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_watch.yaml @@ -1,9 +1,8 @@ command: docker scout watch short: | Watch repositories in a registry and push images and indexes to Docker Scout (experimental) -long: |- - The `docker scout watch` command watches repositories in a registry - and pushes images or analysis results to Docker Scout. +long: | + The docker scout watch command watches repositories in a registry and pushes images or image indexes to Docker Scout. usage: docker scout watch pname: docker scout plink: docker_scout.yaml @@ -129,30 +128,7 @@ inherited_options: experimentalcli: false kubernetes: false swarm: false -examples: |- - ### Watch for new images from two repositories and push them - - ```console - $ docker scout watch --org my-org --repository registry-1.example.com/repo-1 --repository registry-2.example.com/repo-2 - ``` - - ### Only push images with a specific tag - - ```console - $ docker scout watch --org my-org --repository registry.example.com/my-service --tag latest - ``` - - ### Watch all repositories of a registry - - ```console - $ docker scout watch --org my-org --registry registry.example.com - ``` - - ### Push all images and not just the new ones - - ```console - $ docker scout watch--org my-org --repository registry.example.com/my-service --all-images - ``` +examples: " Watch for new images from two repositories and push them\n $ docker scout watch --org my-org --repository registry-1.example.com/repo-1 --repository registry-2.example.com/repo-2\e[0m\n\n Only push images with a specific tag\n $ docker scout watch --org my-org --repository registry.example.com/my-service --tag latest\e[0m\n\n Watch all repositories of a registry\n $ docker scout watch --org my-org --registry registry.example.com\e[0m\n\n Push all images and not just the new ones\n $ docker scout watch --org my-org --repository registry.example.com/my-service --all-images\e[0m" deprecated: false experimental: false experimentalcli: true diff --git a/_vendor/github.com/docker/scout-cli/docs/scout.md b/_vendor/github.com/docker/scout-cli/docs/scout.md index aeac72b4c6d1..8b9b9e25f974 100644 --- a/_vendor/github.com/docker/scout-cli/docs/scout.md +++ b/_vendor/github.com/docker/scout-cli/docs/scout.md @@ -11,7 +11,7 @@ Command line tool for Docker Scout | Name | Description | |:--------------------------------------------------------------|:--------------------------------------------------------------------------------------------| -| [`attestation`](scout_attestation.md) | Manage attestations on image indexes | +| [`attestation`](scout_attestation.md) | Manage attestations on images | | [`cache`](scout_cache.md) | Manage Docker Scout cache and temporary files | | [`compare`](scout_compare.md) | Compare two images and display differences (experimental) | | [`config`](scout_config.md) | Manage Docker Scout configuration | @@ -29,6 +29,7 @@ Command line tool for Docker Scout | [`sbom`](scout_sbom.md) | Generate or display SBOM of an image | | [`stream`](scout_stream.md) | Manage streams (experimental) | | [`version`](scout_version.md) | Show Docker Scout version information | +| [`vex`](scout_vex.md) | Manage VEX attestations on images | | [`watch`](scout_watch.md) | Watch repositories in a registry and push images and indexes to Docker Scout (experimental) | diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_attestation.md b/_vendor/github.com/docker/scout-cli/docs/scout_attestation.md index d4f6bc58277e..dc32a6b306ce 100644 --- a/_vendor/github.com/docker/scout-cli/docs/scout_attestation.md +++ b/_vendor/github.com/docker/scout-cli/docs/scout_attestation.md @@ -1,7 +1,7 @@ # docker scout attestation -Manage attestations on image indexes +Manage attestations on images ### Aliases @@ -9,9 +9,11 @@ Manage attestations on image indexes ### Subcommands -| Name | Description | -|:----------------------------------|:-------------------------| -| [`add`](scout_attestation_add.md) | Add attestation to image | +| Name | Description | +|:------------------------------------|:----------------------------| +| [`add`](scout_attestation_add.md) | Add attestation to image | +| [`get`](scout_attestation_get.md) | Get attestation for image | +| [`list`](scout_attestation_list.md) | List attestations for image | diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_attestation_get.md b/_vendor/github.com/docker/scout-cli/docs/scout_attestation_get.md new file mode 100644 index 000000000000..0c98a6b0233b --- /dev/null +++ b/_vendor/github.com/docker/scout-cli/docs/scout_attestation_get.md @@ -0,0 +1,26 @@ +# docker scout attestation get + + +Get attestation for image + +### Aliases + +`docker scout attestation get`, `docker scout attest get` + +### Options + +| Name | Type | Default | Description | +|:-------------------|:---------|:-----------------------------------------------------------|:--------------------------------------------------------------------------------------------------------| +| `--key` | `string` | `https://registry.scout.docker.com/keyring/dhi/latest.pub` | Signature key to use for verification | +| `--org` | `string` | | Namespace of the Docker organization | +| `-o`, `--output` | `string` | | Write the report to a file | +| `--platform` | `string` | | Platform of image to analyze | +| `--predicate` | | | Get in-toto predicate only dropping the subject | +| `--predicate-type` | `string` | | Predicate-type for attestation | +| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive | +| `--skip-tlog` | | | Skip signature verification against public transaction log | +| `--verify` | | | Verify the signature on the attestation | + + + + diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_attestation_list.md b/_vendor/github.com/docker/scout-cli/docs/scout_attestation_list.md new file mode 100644 index 000000000000..06b33e172a39 --- /dev/null +++ b/_vendor/github.com/docker/scout-cli/docs/scout_attestation_list.md @@ -0,0 +1,23 @@ +# docker scout attestation list + + +List attestations for image + +### Aliases + +`docker scout attestation list`, `docker scout attest list` + +### Options + +| Name | Type | Default | Description | +|:-------------------|:---------|:--------|:------------------------------------------------------------------------------------------------------------------------------------| +| `--format` | `string` | `list` | Output format:
- list: list of attestations of the image
- json: json representation of the attestation list (default "json") | +| `--org` | `string` | | Namespace of the Docker organization | +| `-o`, `--output` | `string` | | Write the report to a file | +| `--platform` | `string` | | Platform of image to analyze | +| `--predicate-type` | `string` | | Predicate-type for attestations | +| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive | + + + + diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_compare.md b/_vendor/github.com/docker/scout-cli/docs/scout_compare.md index 569dab660df6..0461896b92f3 100644 --- a/_vendor/github.com/docker/scout-cli/docs/scout_compare.md +++ b/_vendor/github.com/docker/scout-cli/docs/scout_compare.md @@ -9,28 +9,32 @@ Compare two images and display differences (experimental) ### Options -| Name | Type | Default | Description | -|:----------------------|:--------------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `-x`, `--exit-on` | `stringSlice` | | Comma separated list of conditions to fail the action step if worse or changed, options are: vulnerability, policy, package | -| `--format` | `string` | `text` | Output format of the generated vulnerability report:
- text: default output, plain text with or without colors depending on the terminal
- markdown: Markdown output
| -| `--hide-policies` | | | Hide policy status from the output | -| `--ignore-base` | | | Filter out CVEs introduced from base image | -| `--ignore-unchanged` | | | Filter out unchanged packages | -| `--multi-stage` | | | Show packages from multi-stage Docker builds | -| `--only-fixed` | | | Filter to fixable CVEs | -| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) | -| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate | -| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by | -| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names | -| `--only-unfixed` | | | Filter to unfixed CVEs | -| `--org` | `string` | | Namespace of the Docker organization | -| `-o`, `--output` | `string` | | Write the report to a file | -| `--platform` | `string` | | Platform of image to analyze | -| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive | -| `--to` | `string` | | Image, directory, or archive to compare to | -| `--to-env` | `string` | | Name of environment to compare to | -| `--to-latest` | | | Latest image processed to compare to | -| `--to-ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive. | +| Name | Type | Default | Description | +|:----------------------|:--------------|:--------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `-x`, `--exit-on` | `stringSlice` | | Comma separated list of conditions to fail the action step if worse or changed, options are: vulnerability, policy, package | +| `--format` | `string` | `text` | Output format of the generated vulnerability report:
- text: default output, plain text with or without colors depending on the terminal
- markdown: Markdown output
| +| `--hide-policies` | | | Hide policy status from the output | +| `--ignore-base` | | | Filter out CVEs introduced from base image | +| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope | +| `--ignore-unchanged` | | | Filter out unchanged packages | +| `--multi-stage` | | | Show packages from multi-stage Docker builds | +| `--only-fixed` | | | Filter to fixable CVEs | +| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) | +| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate | +| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by | +| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names | +| `--only-unfixed` | | | Filter to unfixed CVEs | +| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected | +| `--org` | `string` | | Namespace of the Docker organization | +| `-o`, `--output` | `string` | | Write the report to a file | +| `--platform` | `string` | | Platform of image to analyze | +| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive | +| `--to` | `string` | | Image, directory, or archive to compare to | +| `--to-env` | `string` | | Name of environment to compare to | +| `--to-latest` | | | Latest image processed to compare to | +| `--to-ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive. | +| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept | +| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements | diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_cves.md b/_vendor/github.com/docker/scout-cli/docs/scout_cves.md index bdb7f82921d0..e6fd689c1ed3 100644 --- a/_vendor/github.com/docker/scout-cli/docs/scout_cves.md +++ b/_vendor/github.com/docker/scout-cli/docs/scout_cves.md @@ -9,37 +9,37 @@ Display CVEs identified in a software artifact ### Options -| Name | Type | Default | Description | -|:-----------------------|:--------------|:-----------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `--details` | | | Print details on default text output | -| `--env` | `string` | | Name of environment | -| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score | -| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) | -| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) | -| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected | -| `--format` | `string` | `packages` | Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- gitlab: json GitLab output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
| -| `--ignore-base` | | | Filter out CVEs introduced from base image | -| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope | -| `--locations` | | | Print package locations including file paths and layer diff_id | -| `--multi-stage` | | | Show packages from multi-stage Docker builds | -| `--only-base` | | | Only show CVEs introduced by the base image | -| `--only-cisa-kev` | | | Filter to CVEs listed in the CISA KEV catalog | -| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for | -| `--only-fixed` | | | Filter to fixable CVEs | -| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by | -| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by | -| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) | -| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by | -| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names | -| `--only-unfixed` | | | Filter to unfixed CVEs | -| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected | -| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities | -| `--org` | `string` | | Namespace of the Docker organization | -| `-o`, `--output` | `string` | | Write the report to a file | -| `--platform` | `string` | | Platform of image to analyze | -| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive | -| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept | -| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements | +| Name | Type | Default | Description | +|:-----------------------|:--------------|:--------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `--details` | | | Print details on default text output | +| `--env` | `string` | | Name of environment | +| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score | +| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) | +| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) | +| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected | +| `--format` | `string` | `packages` | Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- gitlab: json GitLab output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
| +| `--ignore-base` | | | Filter out CVEs introduced from base image | +| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope | +| `--locations` | | | Print package locations including file paths and layer diff_id | +| `--multi-stage` | | | Show packages from multi-stage Docker builds | +| `--only-base` | | | Only show CVEs introduced by the base image | +| `--only-cisa-kev` | | | Filter to CVEs listed in the CISA KEV catalog | +| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for | +| `--only-fixed` | | | Filter to fixable CVEs | +| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by | +| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by | +| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) | +| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by | +| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names | +| `--only-unfixed` | | | Filter to unfixed CVEs | +| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected | +| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities | +| `--org` | `string` | | Namespace of the Docker organization | +| `-o`, `--output` | `string` | | Write the report to a file | +| `--platform` | `string` | | Platform of image to analyze | +| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive | +| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept | +| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements | diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_quickview.md b/_vendor/github.com/docker/scout-cli/docs/scout_quickview.md index 3bf752a0cf9b..b7e139d93811 100644 --- a/_vendor/github.com/docker/scout-cli/docs/scout_quickview.md +++ b/_vendor/github.com/docker/scout-cli/docs/scout_quickview.md @@ -9,19 +9,19 @@ Quick overview of an image ### Options -| Name | Type | Default | Description | -|:----------------------|:--------------|:--------|:--------------------------------------------------------------------------------------------------------| -| `--env` | `string` | | Name of the environment | -| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope | -| `--latest` | | | Latest indexed image | -| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate | -| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected | -| `--org` | `string` | | Namespace of the Docker organization | -| `-o`, `--output` | `string` | | Write the report to a file | -| `--platform` | `string` | | Platform of image to analyze | -| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive | -| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept | -| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements | +| Name | Type | Default | Description | +|:----------------------|:--------------|:--------------------|:--------------------------------------------------------------------------------------------------------| +| `--env` | `string` | | Name of the environment | +| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope | +| `--latest` | | | Latest indexed image | +| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate | +| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected | +| `--org` | `string` | | Namespace of the Docker organization | +| `-o`, `--output` | `string` | | Write the report to a file | +| `--platform` | `string` | | Platform of image to analyze | +| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive | +| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept | +| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements | diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_vex.md b/_vendor/github.com/docker/scout-cli/docs/scout_vex.md new file mode 100644 index 000000000000..4ac3db0726bf --- /dev/null +++ b/_vendor/github.com/docker/scout-cli/docs/scout_vex.md @@ -0,0 +1,19 @@ +# docker scout vex + + +Manage VEX attestations on images + +### Aliases + +`docker scout vex`, `docker scout vex` + +### Subcommands + +| Name | Description | +|:--------------------------|:------------------------------| +| [`get`](scout_vex_get.md) | Get VEX attestation for image | + + + + + diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_vex_get.md b/_vendor/github.com/docker/scout-cli/docs/scout_vex_get.md new file mode 100644 index 000000000000..b7c9623dd7e3 --- /dev/null +++ b/_vendor/github.com/docker/scout-cli/docs/scout_vex_get.md @@ -0,0 +1,20 @@ +# docker scout vex get + + +Get VEX attestation for image + +### Options + +| Name | Type | Default | Description | +|:-----------------|:---------|:-----------------------------------------------------------|:--------------------------------------------------------------------------------------------------------| +| `--key` | `string` | `https://registry.scout.docker.com/keyring/dhi/latest.pub` | Signature key to use for verification | +| `--org` | `string` | | Namespace of the Docker organization | +| `-o`, `--output` | `string` | | Write the report to a file | +| `--platform` | `string` | | Platform of image to analyze | +| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive | +| `--skip-tlog` | | | Skip signature verification against public transaction log | +| `--verify` | | | Verify the signature on the attestation | + + + + diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_watch.md b/_vendor/github.com/docker/scout-cli/docs/scout_watch.md index 2444ce3c430a..6fb14a197b96 100644 --- a/_vendor/github.com/docker/scout-cli/docs/scout_watch.md +++ b/_vendor/github.com/docker/scout-cli/docs/scout_watch.md @@ -49,5 +49,74 @@ $ docker scout watch --org my-org --registry registry.example.com ### Push all images and not just the new ones ```console -$ docker scout watch--org my-org --repository registry.example.com/my-service --all-images +$ docker scout watch --org my-org --repository registry.example.com/my-service --all-images ``` + +### Configure Artifactory integration + +The following example creates a web hook endpoint for Artifactory to push new +image events into: + +```console +$ export DOCKER_SCOUT_ARTIFACTORY_API_USER=user +$ export DOCKER_SCOUT_ARTIFACTORY_API_PASSWORD=password +$ export DOCKER_SCOUT_ARTIFACTORY_WEBHOOK_SECRET=foo + +$ docker scout watch --registry "type=artifactory,registry=example.jfrog.io,api=https://example.jfrog.io/artifactory,include=*/frontend*,exclude=*/dta/*,repository=docker-local,port=9000,subdomain-mode=true" --refresh-registry +``` + +This will launch an HTTP server on port `9000` that will receive all `component` web +hook events, optionally validating the HMAC signature. + +### Configure Harbor integration + +The following example creates a web hook endpoint for Harbor to push new image +events into: + +```console +$ export DOCKER_SCOUT_HARBOR_API_USER=admin +$ export DOCKER_SCOUT_HARBOR_API_PASSWORD=password +$ export DOCKER_SCOUT_HARBOR_WEBHOOK_AUTH="token foo" + +$ docker scout watch --registry 'type=harbor,registry=demo.goharbor.io,api=https://demo.goharbor.io,include=*/foo/*,exclude=*/bar/*,port=9000' --refresh-registry +``` + +This will launch an HTTP server on port `9000` that will receive all `component` web +hook events, optionally validating the HMAC signature. + +### Configure Nexus integration + +The following example shows how to configure Sonartype Nexus integration: + +```console +$ export DOCKER_SCOUT_NEXUS_API_USER=admin +$ export DOCKER_SCOUT_NEXUS_API_PASSWORD=admin124 + +$ docker scout watch --registry 'type=nexus,registry=localhost:8082,api=http://localhost:8081,include=*/foo/*,exclude=*/bar/*,"repository=docker-test1,docker-test2"' --refresh-registry +``` + +This ingests all images and tags in Nexus repositories called `docker-test1` +and `docker-test2` that match the `*/foo/*` include and `*/bar/*` exclude glob +pattern. + +You can also create a web hook endpoint for Nexus to push new image events into: + +```console +$ export DOCKER_SCOUT_NEXUS_API_USER=admin +$ export DOCKER_SCOUT_NEXUS_API_PASSWORD=admin124 +$ export DOCKER_SCOUT_NEXUS_WEBHOOK_SECRET=mysecret + +$ docker scout watch --registry 'type=nexus,registry=localhost:8082,api=http://localhost:8081,include=*/foo/*,exclude=*/bar/*,"repository=docker-test1,docker-test2",port=9000' --refresh-registry +``` + +This will launch an HTTP server on port `9000` that will receive all `component` web +hook events, optionally validating the HMAC signature. + +## Configure integration for other OCI registries + +The following example shows how to integrate an OCI registry that implements the +`_catalog` endpoint: + +```console +$ docker scout watch --registry 'type=oci,registry=registry.example.com,include=*/scout-artifact-registry/*' +``` \ No newline at end of file diff --git a/_vendor/modules.txt b/_vendor/modules.txt index becb4adff7a4..e48772ab3464 100644 --- a/_vendor/modules.txt +++ b/_vendor/modules.txt @@ -5,4 +5,4 @@ # github.com/docker/compose/v2 v2.39.4 # github.com/docker/model-cli v0.1.41 # github.com/docker/mcp-gateway v0.13.1-0.20250730013131-e08a3be84765 -# github.com/docker/scout-cli v1.18.1 +# github.com/docker/scout-cli v1.18.4 diff --git a/content/manuals/scout/release-notes/cli.md b/content/manuals/scout/release-notes/cli.md index 9e3369add11c..58829b3cbdd2 100644 --- a/content/manuals/scout/release-notes/cli.md +++ b/content/manuals/scout/release-notes/cli.md @@ -9,6 +9,14 @@ This page contains information about the new features, improvements, known issues, and bug fixes in the Docker Scout [CLI plugin](https://github.com/docker/scout-cli/) and the `docker/scout-action` [GitHub Action](https://github.com/docker/scout-action). +## 1.18.4 + +{{< release-date date="2025-10-02" >}} + +### Bug fixes + +- VEX and SPDX fixes. + ## 1.18.3 {{< release-date date="2025-08-13" >}} diff --git a/content/reference/cli/docker/scout/attestation/get.md b/content/reference/cli/docker/scout/attestation/get.md new file mode 100644 index 000000000000..9fc3e4b6c866 --- /dev/null +++ b/content/reference/cli/docker/scout/attestation/get.md @@ -0,0 +1,14 @@ +--- +datafolder: scout-cli +datafile: docker_scout_attestation_get +title: docker scout attestation get +layout: cli +--- + + \ No newline at end of file diff --git a/content/reference/cli/docker/scout/attestation/list.md b/content/reference/cli/docker/scout/attestation/list.md new file mode 100644 index 000000000000..a7deeadf5adb --- /dev/null +++ b/content/reference/cli/docker/scout/attestation/list.md @@ -0,0 +1,14 @@ +--- +datafolder: scout-cli +datafile: docker_scout_attestation_list +title: docker scout attestation list +layout: cli +--- + + \ No newline at end of file diff --git a/content/reference/cli/docker/scout/vex/_index.md b/content/reference/cli/docker/scout/vex/_index.md new file mode 100644 index 000000000000..329dedcddf2f --- /dev/null +++ b/content/reference/cli/docker/scout/vex/_index.md @@ -0,0 +1,14 @@ +--- +datafolder: scout-cli +datafile: docker_scout_vex +title: docker scout vex +layout: cli +--- + + \ No newline at end of file diff --git a/content/reference/cli/docker/scout/vex/get.md b/content/reference/cli/docker/scout/vex/get.md new file mode 100644 index 000000000000..8fcb66b633fd --- /dev/null +++ b/content/reference/cli/docker/scout/vex/get.md @@ -0,0 +1,14 @@ +--- +datafolder: scout-cli +datafile: docker_scout_vex_get +title: docker scout vex get +layout: cli +--- + + \ No newline at end of file diff --git a/go.mod b/go.mod index 63c74a06153f..d86541e30fef 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/docker/model-cli v0.1.41 // indirect github.com/docker/model-distribution v0.0.0-20250918153037-7d9fc7b72b57 // indirect github.com/docker/model-runner v0.0.0-20250911130340-38bb0171c947 // indirect - github.com/docker/scout-cli v1.18.1 // indirect + github.com/docker/scout-cli v1.18.4 // indirect github.com/elastic/go-sysinfo v1.15.3 // indirect github.com/elastic/go-windows v1.0.2 // indirect github.com/fatih/color v1.18.0 // indirect @@ -114,7 +114,7 @@ replace ( github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.39.4 github.com/docker/docker => github.com/docker/docker v28.4.0+incompatible github.com/docker/model-cli => github.com/docker/model-cli v0.1.41 - github.com/docker/scout-cli => github.com/docker/scout-cli v1.18.1 + github.com/docker/scout-cli => github.com/docker/scout-cli v1.18.4 github.com/moby/buildkit => github.com/moby/buildkit v0.25.0 github.com/moby/moby => github.com/moby/moby v28.4.0+incompatible ) diff --git a/go.sum b/go.sum index 9830bd95b711..6fa87b90ee6a 100644 --- a/go.sum +++ b/go.sum @@ -142,6 +142,8 @@ github.com/docker/scout-cli v1.15.0 h1:VhA9niVftEyZ9f5KGwKnrSfQOp2X3uIU3VbE/gTVM github.com/docker/scout-cli v1.15.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc= github.com/docker/scout-cli v1.18.1 h1:snFodhV6xFJryxdUZ0ukPZFZZFnWAGLUuuPZGB3BOK8= github.com/docker/scout-cli v1.18.1/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc= +github.com/docker/scout-cli v1.18.4 h1:Td+SSA55WlD7gmrNaBe0imgfVzzQjlfb/prwBn9GOSw= +github.com/docker/scout-cli v1.18.4/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc= github.com/elastic/go-sysinfo v1.15.3 h1:W+RnmhKFkqPTCRoFq2VCTmsT4p/fwpo+3gKNQsn1XU0= github.com/elastic/go-sysinfo v1.15.3/go.mod h1:K/cNrqYTDrSoMh2oDkYEMS2+a72GRxMvNP+GC+vRIlo= github.com/elastic/go-windows v1.0.2 h1:yoLLsAsV5cfg9FLhZ9EXZ2n2sQFKeDYrHenkcivY4vI=