Releases: docker/scout-cli
Releases · docker/scout-cli
v1.5.0
Highlights
- Cache SBOM and attestations using the image index digest if exists
- Add file hashes/digest when generating SBOMs
- Upgrade
syft
to 0.105.0 - Process OpenVEX document before attaching to image to move subcomponents into product, product into subject
- Support local attestations from a containerd image store or OCI export
Bug fixes / Improvements
- fix reading SBOM for
gcr.io/distroless
images - read distribution in SBOM from attestations
- fix
docker scout push
with an image reference containing a prefix likeregistry://
v1.4.1
These notes include changes part of v1.4.0
Highlights
- Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557)
- Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912
- Support cosign SBOM attestations
- Support for VEX in-toto attestations
Bug fixes / Improvements
- Fix order and case of details column headers in the policy deviation details tables
- Fix platform detection when an image index contains
linux/arm64/v8
but the local platform is onlylinux/arm64
- Fix display of the base image in case the base image is not indexed by docker scout but defined in the provenance attestation (for private or non Docker Trusted Content base images)
Affectsquickview
andrecommendations
commands - Fix panic when an SBOM contains no packages
Especially when usingdocker scout
to analyse local file system, for instance usingdocker scout cves fs://.
- Bump Syft to 0.103.1 to fix golang Purl with subpath
- Add support for subpaths in PURLs
For instance an image containing both packagesgithub.com/gofiber/template
andgithub.com/gofiber/template/django/v3
, previously the two packages were visible under the samegithub.com/gofiber/template
name. Now both of them are correctly identified - Remove query strings from title in rendered hyperlinks
v1.3.0
- Update
syft
tov0.100.0
- Support
in-toto
envelope layer in attestations - Improve display of policy results in case of a boolean policy
See for instance with a policy to ensure nonroot
user is defined in the image:
v1.2.2
v1.2.1
v1.2.0
What's Changed
- Display configurable policy names by @felipecruz91
- Add support for writing SDPX and CycloneDx to file by @cdupuis
- Support ACR in docker scout repo commands by @velll
- Docs cli reference refresh by @dvdksn
v1.0.9
Merge pull request #65 from docker/v1.0.9 Publish v1.0.9 release
v1.0.8
v1.0.8
v1.0.7
v1.0.7
v1.0.6
v1.0.6