v1.13.0

Highlights

• Add --only-policy filter option to quickview, policy and compare commands.
• Add --ignore-suppressed filter option to cves and quickview commands to filter out CVEs affected by Scout suppressions.

Bug Fixes / Improvements

• Use conditional policy name in checks.
• Enable detection golang main module via ldflags.

---

Contributors

v1.12.0

Highlights

• Only display vulnerabilities from the base image:

  uses: docker/scout-action@v1
  with:
    command: cves
    image: [IMAGE]
    only-base: true

• Account for VEX in quickview command.

  uses: docker/scout-action@v1
  with:
    command: quickview
    image: [IMAGE]
    only-vex-affected: true
    vex-location: ./path/to/my.vex.json

• Account for VEX in cves command (GitHub Actions).

  uses: docker/scout-action@v1
  with:
    command: cves
    image: [IMAGE]
    only-vex-affected: true
    vex-location: ./path/to/my.vex.json

Bug Fixes / Improvements

• Update github.com/docker/docker to v26.1.5+incompatible to fix CVE-2024-41110.
• Update syft to 1.10.0.

---

Contributors

v1.11.0

Highlights

• Filter CVEs listed in the CISA Known Exploited Vulnerabilities catalog.

  uses: docker/scout-action@v1
  with:
    command: cves
    image: [IMAGE]
    only-cisa-kev: true

Bug Fixes / Improvements

• Allow VEX matching when no subcomponents.
• Fix panic when attaching an invalid VEX document.
• Fix SPDX document root.
• Fix base image detection when image uses SCRATCH as the base image.

---

Contributors

v1.10.0

Bug Fixes / Improvements

• Fix parsing image references in SPDX statement for images with a digest
• Support sbom:// prefix for image comparison (fixes #43)

  uses: docker/scout-action@v1
  with:
    command: compare
    image: sbom://image1.json
    to: sbom://image2.json

---

Contributors

v1.9.3

Bug Fixes

• Fix a panic while retrieving cached SBOM

---

Contributor

v1.9.1

General bug fixes and performance improvements

Support single arch images for attestation-add command.

---

Contributors

v1.8.0

Highlights

• Add new attestation-add command to GHA
  This can be used to add Vex documents to images for instance. See the documentation on how to suppress image vulnerabilities with VEX

  uses: docker/scout-action@v1
  with:
    command: attestation-add
    image: IMAGE
    file: in-toto.vex.json
    predicate-type: https://openvex.dev/ns/v0.2.0

Bug Fixes / Improvements

• Improve format of EPSS score and percentile
  • Before:

    EPSS Score      : 0.000440
    EPSS Percentile : 0.092510
    

  • After:

    EPSS Score      : 0.04%
    EPSS Percentile : 9th percentile
    

• Fix cves command when used to analyse a local file system with a markdown output

---

Contributors

v1.7.0

Highlights

• Allow to specify format (json, list, spdx) and output file on sbom command

  uses: docker/scout-action@v1
  with:
      command: sbom
      image: alpine
      format: list
      output: alpine_package_list.txt

Bug Fixes / Improvements

• Fix adding attestation (like vex statements) to a private image
• fix image processing for scratch "images"
• Add classifier for Joomla

---

Contributors

v1.6.4

Bug Fix

Fix epoch handling for rpm-based images

---

Contributor(s)

v1.6.3

Bug Fixes / Improvements

• improve package detection to ignore referenced but not installed packages

---

Contributors