v1.5.0

Highlights

• Cache SBOM and attestations using the image index digest if exists
• Add file hashes/digest when generating SBOMs
• Upgrade syft to 0.105.0
• Process OpenVEX document before attaching to image to move subcomponents into product, product into subject
• Support local attestations from a containerd image store or OCI export

Bug fixes / Improvements

• fix reading SBOM for gcr.io/distroless images
• read distribution in SBOM from attestations
• fix docker scout push with an image reference containing a prefix like registry://

v1.4.1

These notes include changes part of v1.4.0

Highlights

• Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557)
• Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912
• Support cosign SBOM attestations
• Support for VEX in-toto attestations

Bug fixes / Improvements

• Fix order and case of details column headers in the policy deviation details tables
• Fix platform detection when an image index contains linux/arm64/v8 but the local platform is only linux/arm64
• Fix display of the base image in case the base image is not indexed by docker scout but defined in the provenance attestation (for private or non Docker Trusted Content base images)
  Affects quickview and recommendations commands
• Fix panic when an SBOM contains no packages
  Especially when using docker scout to analyse local file system, for instance using docker scout cves fs://.
• Bump Syft to 0.103.1 to fix golang Purl with subpath
• Add support for subpaths in PURLs
  For instance an image containing both packages github.com/gofiber/template and github.com/gofiber/template/django/v3, previously the two packages were visible under the same github.com/gofiber/template name. Now both of them are correctly identified
• Remove query strings from title in rendered hyperlinks

v1.3.0

• Update syft to v0.100.0
• Support in-toto envelope layer in attestations
• Improve display of policy results in case of a boolean policy
  See for instance with a policy to ensure non root user is defined in the image:
  

v1.2.2

What's Changed

• Fix link rendering growing the column by @cdupuis
• No cache and docs by @cdupuis
• Add correlation headers by @cdupuis
• Allow to pass in additional SBOM catalogers by @cdupuis
• Add No Data link for SonarQube policy by @felipecruz91
• Policy fixes by @cdupuis

v1.2.1

What's Changed

• #75: Use cache dir env var for writing and reading by @cdupuis

v1.2.0

What's Changed

• Display configurable policy names by @felipecruz91
• Add support for writing SDPX and CycloneDx to file by @cdupuis
• Support ACR in docker scout repo commands by @velll
• Docs cli reference refresh by @dvdksn

v1.0.9

Merge pull request #65 from docker/v1.0.9

Publish v1.0.9 release

v1.0.8

v1.0.8

v1.0.7

v1.0.7

v1.0.6

v1.0.6