docker / scout-cli Goto Github PK

View Code? Open in Web Editor NEW

258.0 13.0 61.0 6.03 GB

Docker Scout CLI

Home Page: https://docker.com/products/docker-scout

License: Other

Shell 100.00%

docker security supply-chain-security

scout-cli's Introduction

Docker Scout
Usage
CLI Plugin Installation
Run as container
CI integration
License

Docker Scout

Docker Scout is a set of software supply chain features integrated into Docker's user interfaces and command line interface (CLI). These features offer comprehensive visibility into the structure and security of container images. This repository contains installable binaries of the docker scout CLI plugin.

Usage

The CLI documentation is available in this repository.

See the reference documentation to learn about Docker Scout including Docker Desktop and Docker Hub integrations.

Environment Variables

The following environment variables are availabe to configure the Scout CLI:

Name	Description
`DOCKER_SCOUT_CACHE_FORMAT`	Format of the local image cache; can be `oci` or `tar`
`DOCKER_SCOUT_CACHE_DIR`	Directory where the local SBOM cache is stored
`DOCKER_SCOUT_NO_CACHE`	Disable the local SBOM cache
`DOCKER_SCOUT_REGISTRY_TOKEN`	Registry Access token to authenticate when pulling images
`DOCKER_SCOUT_REGISTRY_USER`	Registry user name to authenticate when pulling images
`DOCKER_SCOUT_REGISTRY_PASSWORD`	Registry password/PAT to authenticate when pulling images
`DOCKER_SCOUT_HUB_USER`	Docker Hub user name to authenticate against the Docker Scout backend
`DOCKER_SCOUT_HUB_PASSWORD`	Docker Hub password/PAT to authenticate against the Docker Scout backend
`DOCKER_SCOUT_OFFLINE`	Offline mode during SBOM indexing
`DOCKER_SCOUT_NEW_VERSION_WARN`	Warn about new versions of the Docker Scout CLI
`DOCKER_SCOUT_EXPERIMENTAL_WARN`	Warn about experimental features
`DOCKER_SCOUT_EXPERIMENTAL_POLICY_OUTPUT`	Disable experimental policy output

CLI Plugin Installation

Docker Desktop

docker scout CLI plugin is available by default on Docker Desktop starting with version 4.17.

Manual Installation

To install it manually:

Download the docker-scout binary corresponding to your platform from the latest or other releases.
Uncompress it as
- docker-scout on Linux and macOS
- docker-scout.exe on Windows
Copy the binary to the scout directory
- $HOME/.docker/scout on Linux and macOS
- %USERPROFILE%\.docker\scout on Windows
Make it executable on Linux and macOS
- chmod +x $HOME/.docker/scout/docker-scout
Authorize the binary to be executable on macOS
- xattr -d com.apple.quarantine $HOME/.docker/scout/docker-scout
Add the scout directory to your .docker/config.json as a plugin directory
- $HOME/.docker/config.json on Linux and macOS
- %USERPROFILE%\.docker\config.json on Windows
- Add the cliPluginsExtraDirs property to the config.json file

{
	...
	"cliPluginsExtraDirs": [
		"<full path to the .docker/scout folder>"
	],
	...
}

Script Installation

To install, run the following command in your terminal:

curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --

Run as container

A container image to run the Docker Scout CLI in containerized environments is available at docker/scout-cli.

CI Integration

Docker Scout CLI can be used in CI environments. See below for the various ways to integrate the CLI into your CI pipelines.

GitHub Action

An early prototype of running the Docker Scout CLI as part of a GitHub Action workflow is available at docker/scout-action.

The following GitHub Action workflow can be used as a template to integrate Docker Scout:

name: Docker

on:
  push:
    tags: [ "*" ]
    branches:
      - 'main'
  pull_request:
    branches: [ "**" ]
    
env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: docker.io
  IMAGE_NAME: ${{ github.repository }}
  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}

jobs:
  build:

    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          ref: ${{ env.SHA }}
          
      - name: Setup Docker buildx
        uses: docker/[email protected]

      # Login against a Docker registry except on PR
      # https://github.com/docker/login-action
      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/[email protected]
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PAT }}

      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/[email protected]
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.revision=${{ env.SHA }}
          tags: |
            type=edge,branch=$repo.default_branch
            type=semver,pattern=v{{version}}
            type=sha,prefix=,suffix=,format=short
      
      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/[email protected]
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
      
      - name: Docker Scout
        id: docker-scout
        if: ${{ github.event_name == 'pull_request' }}
        uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506
        with:
          command: cves
          image: ${{ steps.meta.outputs.tags }}
          only-severities: critical,high
          exit-code: true

GitLab

Use the following pipeline definition as a template to get Docker Scout integrated in GitLab CI:

docker-build:
  image: docker:latest
  stage: build
  services:
    - docker:dind
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    
    # Install curl and the Docker Scout CLI
    - |
      apk add --update curl
      curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- 
      apk del curl 
      rm -rf /var/cache/apk/* 
    # Login to Docker Hub required for Docker Scout CLI
    - echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin
  script:
    - |
      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
        tag=""
        echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
      else
        tag=":$CI_COMMIT_REF_SLUG"
        echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
      fi
    - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
    
    - |
      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
        # Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
        docker scout cves "$CI_REGISTRY_IMAGE${tag}" --exit-code --only-severity critical,high    
      else
        # Compare image from branch with latest image from the default branch and fail if new critical or high CVEs are detected
        docker scout compare "$CI_REGISTRY_IMAGE${tag}" --to "$CI_REGISTRY_IMAGE:latest" --exit-code --only-severity critical,high --ignore-unchanged
      fi
    
    - docker push "$CI_REGISTRY_IMAGE${tag}"
  rules:
    - if: $CI_COMMIT_BRANCH
      exists:
        - Dockerfile

CircleCI

Use the following pipeline definition as a template to get Docker Scout integrated in CircleCI project:

version: 2.1

jobs:
  
  build:

    docker:
      - image: cimg/base:stable
    
    environment:
      IMAGE_TAG: docker/scout-demo-service:latest
    
    steps:
      # Checkout the repository files
      - checkout

      # Set up a separate Docker environment to run `docker` commands in
      - setup_remote_docker:
          version: 20.10.24

      # Install Docker Scout and login to Docker Hub
      - run:
          name: Install Docker Scout
          command: |
            env
            curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b /home/circleci/bin
            echo $DOCKER_HUB_PAT | docker login -u $DOCKER_HUB_USER --password-stdin

      # Build the Docker image
      - run:
          name: Build Docker image
          command: docker build -t $IMAGE_TAG .
      
      # Run Docker Scout          
      - run:
          name: Scan image for CVEs
          command: |
            docker-scout cves $IMAGE_TAG --exit-code --only-severity critical,high

workflows:
  build-docker-image:
    jobs:
      - build

Microsoft Azure DevOps Pipelines

Use the following pipeline definition as a template to get Docker Scout integrated in Azure DevOps Pipelines:

trigger:
- main

resources:
- repo: self

variables:
  tag: '$(Build.BuildId)'
  image: 'vonwig/nodejs-service'

stages:
- stage: Build
  displayName: Build image
  jobs:
  - job: Build
    displayName: Build
    pool:
      vmImage: ubuntu-latest
    steps:
    - task: Docker@2
      displayName: Build an image
      inputs:
        command: build
        dockerfile: '$(Build.SourcesDirectory)/Dockerfile'
        repository: $(image)
        tags: |
          $(tag)
    - task: CmdLine@2
      displayName: Find CVEs on image
      inputs:
        script: |
          # Install the Docker Scout CLI
          curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
          # Login to Docker Hub required for Docker Scout CLI
          docker login -u $(DOCKER_HUB_USER) -p $(DOCKER_HUB_PAT)
          # Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
          docker scout cves $(image):$(tag) --exit-code --only-severity critical,high

Jenkins

The following snippet can be added to a Jenkinsfile to install and analyze images:

        stage('Analyze image') {
            steps {
                // Install Docker Scout
                sh 'curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b /usr/local/bin'
                
                // Log into Docker Hub
                sh 'echo $DOCKER_HUB_PAT | docker login -u $DOCKER_HUB_USER --password-stdin'

                // Analyze and fail on critical or high vulnerabilities
                sh 'docker-scout cves $IMAGE_TAG --exit-code --only-severity critical,high'
            }
        }

This example assume two secrets to be available to authenticate against Docker Hub, called DOCKER_HUB_USER and DOCKER_HUB_PAT.

Bitbucket

Use the following pipeline definition as a template to get Docker Scout integrated in Bitbucket Pipelines:

image: docker

pipelines:
  default:
    - step:
        name: Build
        services:
          - docker
        caches:
          - docker
        script:
          - echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin $CI_REGISTRY

          # Install curl and the Docker Scout CLI
          - |
            export DOCKER_BUILDKIT=0
            apk add --update curl
            curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- 
            apk del curl 
            rm -rf /var/cache/apk/* 
          # Login to Docker Hub required for Docker Scout CLI
          - echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin

          - |
            export DEVELOPMENT_BRANCH="main"
            if [[ "$BITBUCKET_BRANCH" == "$DEVELOPMENT_BRANCH" ]]; then # Bitbucket uses master by default, adjust if your default branch is different
              tag=":latest"
              echo "Running on default branch '$DEVELOPMENT_BRANCH': tag = 'latest'"
            else
              tag=":$BITBUCKET_COMMIT"
              echo "Running on branch '$BITBUCKET_BRANCH': tag = $tag"
            fi
          - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .

          - |
            if [[ "$BITBUCKET_BRANCH" == "$DEVELOPMENT_BRANCH" ]]; then
              # Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
              docker scout cves "$CI_REGISTRY_IMAGE${tag}" --exit-code --only-severity critical,high    
            else
              # Compare image from branch with latest image from the default branch and fail if new critical or high CVEs are detected            
              docker scout compare "$CI_REGISTRY_IMAGE${tag}" --to "$CI_REGISTRY_IMAGE:latest" --exit-code --only-severity critical,high --ignore-unchanged
            fi
          - docker push "$CI_REGISTRY_IMAGE${tag}"

definitions:
  services:
    docker:
      memory: 2048 # Optional: Increase if needed

This example assumes two secrets to be available to authenticate against Docker Hub, called DOCKER_HUB_USER and DOCKER_HUB_PAT, also is necessary more two secrets called CI_REGISTRY, CI_REGISTRY_IMAGE about registry info.

License

The Docker Scout CLI is licensed under the Terms and Conditions of the Docker Subscription Service Agreement.

scout-cli's People

Contributors

Stargazers

Watchers

scout-cli's Issues

The markdown format is not supported

Hello Team,

I am testing with real pleasure the tool but when I tried some commands I figured out that the markdown format output doesn't seem to work on the last version.

Commands:

❯ docker scout cves --exit-code --ignore-base --only-fixed --only-severity critical,high --format sarif --output mega.sarif mega:1.5.0
    ✓ SBOM of image already cached, 282 packages indexed
    ✓ Ignoring packages and vulnerabilities from base image openjdk
    ✗ Detected 5 vulnerable packages with a total of 8 vulnerabilities
    ✓ Report written to mega.sarif

❯ docker scout cves --exit-code --ignore-base --only-fixed --only-severity critical,high --format packages --output mega.packages mega:1.5.0
    ✓ SBOM of image already cached, 282 packages indexed
    ✓ Ignoring packages and vulnerabilities from base image openjdk
    ✗ Detected 5 vulnerable packages with a total of 8 vulnerabilities
    ✓ Report written to mega.packages

❯ docker scout cves --exit-code --ignore-base --only-fixed --only-severity critical,high --format markdown --output mega.markdown mega:1.5.0

...
Learn More
  Read docker scout cli reference at https://docs.docker.com/engine/reference/commandline/scout/
ERROR   Status: please provide a valid format, Code: 1

Test version:

❯ docker scout version
version: 0.22.2 (go1.20.6 - linux/amd64)
git commit: 7e5413c2e22976e2de12c9889d2f7aa884c7fc7c

Maybe I missed something?

Ulrich

Docker Scout Completely Filling Disk Space with Temporary Files

I've recently updated my Docker Desktop and it added in Docker Scout, after a few days of normal use. My computer had filled entirely with temporary files in the AppData\Local\Temp directory. The folder was called Docker Scout. It shouldn't do that

docker scout skip not-fixed [feature request]

I would like a feature request for scout cli, where there an option to skip vulnerabilities that do not have a fix

See example below

docker scout cves python:3.11-slim
pip 23.2.1
pkg:pypi/[email protected]

    ✗ MEDIUM CVE-2023-5752 [Improper Neutralization of Special Elements used in a Command ('Command Injection')]
      https://scout.docker.com/v/CVE-2023-5752
      Affected range : <23.3                                         
      Fixed version  : 23.3                                          
      CVSS Score     : 5.5                                           
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N  
...
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2022-27943
      https://scout.docker.com/v/CVE-2022-27943
      Affected range : >=12.2.0-14  
      Fixed version  : not fixed    
    


23 vulnerabilities found in 16 packages
  LOW       22  
  MEDIUM    1   
  HIGH      0   
  CRITICAL  0

Out of the total 23 vulnerabilities fix is available only for 1, hence command like docker scout cves --skip-nofix python:3.11-slim would be very useful

False positive when a *.deps.json file contains a dependency to a vulnerable package

Publishing a C# project as "self-contained" adds numerous dependencies in the *.deps.json file with versions that do not always represent the version in use.

For example, a C# Asp.Net project (.net 6.0) with the dependency to "System.Net.Http" version 4.3.4 creates a deps.json file where the reference is to the System.Private.Uri.dll of version "6.0.0.0", but refers to version 4.3.0 for "runtime.any.System.Runtime/4.3.0" (and others).

If you include the deps.json file in a Docker image and check that image for vulnerabilities, Docker Scout (version 1.3) detects 3 vulnerabilities for System.Private.Uri.dll version 4.3.0.
Apart from the mention in the *.deps.json file, the version would never be used. (The version of System.Private.Uri included in the release folder is version "6.0.0.0")

Please correct me if I am wrong: I think the result is a false positive.

Docker Scout version 1.2.2 and "dotnet list xxx.sln package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json" have not detected any vulnerability here.

Attached you finde an example of the deps.json file: WebApplication1.deps.json

Update: Steps to reproduce

Create an image with the WebApplication1.deps.json file:
Dockerfile:

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
COPY WebApplication1.deps.json .

Image creation:
docker build -t testimage:latest -f .\Dockerfile .
Run docker scout cli for that image returns the System.Private.Uri.dll vulnerabilities

Unicode characters \u003e & \u003c in sarif output instead of great-than and less-than symbols

When results are exported to sarif format, greater-than and less-than symbols are in unicode.

Steps to reproduce:

Using the latest v0.24.1 version of docker-scout
Run docker-scout cves webgoat/webgoat:latest --format sarif --output test.sarif
Open test.sarif with a plaintext editor like notepad or VS Code.
Observe \u003e & \u003c in place of > & < symbols.

Redhat CVEs marked as not-fixed -- but Redhat says they are addressed?

Just trying out SCOUT -- looks like a great tool.

But when I scan an image based on Redhat 8 it finds vulnerabilities like this one -- identified as Not Fixed:

pkg:rpm/redhatlinux/openssl@1:1.1.1k-9.el8_7?os_name=redhatlinux&os_version=8

✗ HIGH CVE-2023-0286 [Access of Resource Using Incompatible Type ('Type Confusion')]
  https://dso.docker.com/cve/CVE-2023-0286
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 7.4
  CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

However, Redhat says it addressed the issue: with the version of the RPM we have installed:
The Redhad CVE page: https://access.redhat.com/security/cve/cve-2023-0286
Refers to https://access.redhat.com/errata/RHSA-2023:1405
Which on the update tab says that the CVE was addressed with version: openssl-1.1.1k-9.el8_7.x86_64.rpm

Which I think is the version identified in the scout output: pkg:rpm/redhatlinux/openssl@1:1.1.1k-9.el8_7?

Is there something I need to do to get updated CVE database for the scout scans?

The docker cve page: https://dso.docker.com/cve/CVE-2023-0286
Was last updated 3 months ago -- maybe that is the issue? It has not been updated with Redhat solution?

Kevin

CVE shows as High vulnerability but REDHAT says not affected?

We are running RedHat 8

The package python3-urllib3-1.24.2-5.el8.noarch is installed.

Scout is showing 3 vulnerabilities for this package:

=============
0C 1H 2M 0L urllib3 1.24.2
pkg:pypi/[email protected]

✗ HIGH CVE-2021-33503
  https://scout.docker.com/v/CVE-2021-33503
  Affected range : <1.26.5
  Fixed version  : 1.26.5

✗ MEDIUM CVE-2020-26137 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]
  https://scout.docker.com/v/CVE-2020-26137
  Affected range : <1.25.9
  Fixed version  : 1.25.9
  CVSS Score     : 6.5
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

✗ MEDIUM CVE-2019-11236 [Improper Neutralization of CRLF Sequences ('CRLF Injection')]
  https://scout.docker.com/v/CVE-2019-11236
  Affected range : <=1.24.2
  Fixed version  : 1.24.3
  CVSS Score     : 6.1
  CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

=================

For the first one -- https://scout.docker.com/v/CVE-2021-33503 Redhat website says the first is Not Affected

For the 2nd one https://access.redhat.com/security/cve/CVE-2020-26137
Redhat says it is addressed in the version we have installed: https://access.redhat.com/errata/RHSA-2021:1631
( if you click on updated packages it shows python-urllib3-1.24.2-5.el8.src.rpm as being updted.

For the 3rd one https://scout.docker.com/vulnerabilities/id/CVE-2019-11236
It says < <1.24.2-2.el8 is vulnerable -- we have python3-urllib3-1.24.2-5.el8.noarch which is greater -- and is the patched version.

Not sure why these are showing as vulnerabilities when we have patched version from redhat.

Could be something to do with the "version" shown in scout finding only has the point release and not the - redhat modified version that contains the backport of the fixes.

e.g SCOUT thinks we have pkg:pypi/[email protected] but we have 1.24.2-5

temporary file/cache location configurability

I'm trying to use docker scout from a Bazel test target, that gives restricted access to a user's home directory.
Thus, docker scout fails with a similar error:

ERROR   Status: failed to write sbom: open /home/user/.docker/scout/sbom/sha256/ff26ee2d81e043488707fbfb3796ff79086cd24fb6c00fb880780c3b7386c30c/sbom.json: read-only file system, Code: 1

Is there a way to reconfigure docker scout to write temporary files or cached files into a different location?
If this is not currently supported, could you provide some link to source code where this could be added (maybe I could contribute it).

Docker scout installation folder does not fit on Windows 11

Hi,

I recently noticed that the manual installation location givene here:
https://github.com/docker/scout-cli?tab=readme-ov-file#cli-plugin-installation

Does not fit for my Windows 11 x64 installation.

Location given is:

%USERPROFILE%\.docker\scout

Real location of 'docker-scout.exe' is:

C:\Program Files\Docker\cli-plugins

Actually it looks like that 'docker-scout.exe' is also available in this path.
However, this location doesn't seem to have an impact on running it from the CLI.

C:\Program Files\Docker\Docker\resources\cli-plugins

Would be great, if somebody could check this, please.

Output of Markdown format does not seem to be showing all Packages/CVEs

Hello,

I am noticing an issue when running the following command with the Docker Scout CLI wherein the markdown format does not seem to be outputting all packages/cve's being reported:

docker scout cves docker.arty-1.base.safe.com/fmeflow/fmeflow-core:devops-4448 --format markdown --output markdown.html

Attached Output:

markdown.txt

If I run the default

docker scout cves docker.arty-1.base.safe.com/fmeflow/fmeflow-core:devops-4448 --output packages.txt

Attached Output:

packages.txt

Or alternatively an output of the Sarif format I do see all the CVE's:

docker scout cves docker.arty-1.base.safe.com/fmeflow/fmeflow-core:devops-4448 --format sarif --output test.sarif.json

Attached Output:

test.sarif.json

I am running these commands with

Docker Scout Version: v1.0.9 (go1.21.3 - windows/amd64)
Git Commit: 8bf95bf60d084af341f70e8263342f71b0a3cd16

On Windows 11 (23H2)

Thank you

Docker scout ignores --force flag

Reproducible in 1.0.7 and 1.0.9 on Windows 11

docker scout cache prune --force
    ! New version 1.0.9 available (installed version is 1.0.7) at https://github.com/docker/scout-cli
? Are you sure to delete all temporary data? (y/N)

D:\docker-scout.exe cache prune --force
? Are you sure to delete all temporary data? (y/N)

Add command prune for purge the images in the cache

docker scout prune

Frees up disk space of images that docker scout saves in the cache for vulnerability analysis

➜ Remove-Item -Force -Recurse "~\AppData\Local\Temp\docker-scout\sha256"

ERROR Status: could not get repositories for org <org_name>: could not list skills: failed to list integration configurations: 403 403 Forbidden, CodEe: 1

Segfault for 1.0.9

Reproduce (segfault in 1.0.9, no error in 1.0.8):

mkdir -p $HOME/.docker/cli-plugins
wget -q -O/tmp/scout.tgz https://github.com/docker/scout-cli/releases/download/v1.0.9/docker-scout_1.0.9_linux_amd64.tar.gz
tar xvzf /tmp/scout.tgz -C $HOME/.docker/cli-plugins/ docker-scout
echo ${{ secrets.DOCKER_PAT }} | docker login -u ${{ secrets.DOCKER_USER }} --password-stdin
git clone --depth=1 --branch=master [email protected]:thbley/php_frameworkless.git
cd php_frameworkless/
docker scout cves -e --locations fs://.
    ✓ File system read
    ✓ Indexed 70 packages
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1c2c561]

goroutine 1 [running]:
github.com/docker/scout-cli-plugin/internal/dso.(*DSO).VexStatements(0xc0002903c0, {0x2b83758, 0xc000f421e0}, 0xc00077c840)
        /home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/dso/dso.go:85 +0x41
github.com/docker/scout-cli-plugin/cves.(*Lister).FromSBOM(0xc00034c7f0, {0x2b83758, 0xc000f421e0}, _, {{0x3d4fe20, 0x0, 0x0}, {0x3d4fe20, 0x0, 0x0}, ...})
        /home/runner/work/scout-cli-plugin/scout-cli-plugin/cves/cves.go:76 +0xfc
github.com/docker/scout-cli-plugin/internal/commands/cves.NewCmd.func2(0xc000005800?, {0xc000a0ac60?, 0x1?, 0x3?})
        /home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/commands/cves/cves.go:231 +0xb18
github.com/spf13/cobra.(*Command).execute(0xc000005800, {0xc00071e660, 0x3, 0x3})
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:940 +0x87c
github.com/spf13/cobra.(*Command).ExecuteC(0xc000a18300)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
github.com/docker/cli/cli-plugins/plugin.RunPlugin(0x970c49?, 0xc000004c00, {{0x215dc84, 0x5}, {0x21870ff, 0xb}, {0xc0008e72d4, 0x6}, {0x2193e8f, 0xc}, ...})
        /home/runner/go/pkg/mod/github.com/docker/[email protected]+incompatible/cli-plugins/plugin/plugin.go:51 +0x12a
main.runPlugin(0x220e72d?)
        /home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/docker-scout/main.go:29 +0x14c
main.main()
        /home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/docker-scout/main.go:53 +0x118

env:

cat /etc/issue
Ubuntu 22.04.3 LTS

uname -a
Linux tb 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct  6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

docker plugin configuration in the readme is not a proper json

the readme states to modify the .docker/config.json like this

{
	...
	"cliPluginsExtraDirs": [
		<full path to the .docker/scout folder>
	],
	...
}

but this is not a valid json.
this makes docker fail with

cannot unmarshal array into Go struct field File.plugins of type map[string]string
/Users/myname/.docker/config.json: json: cannot unmarshal array into Go struct field ConfigFile.plugins of type map[string]string

SPDX output into the file

OS: Sonoma 14.1
Model: M2
Scout Version:

version: v1.0.9 (go1.21.3 - darwin/arm64)
git commit: 8bf95bf60d084af341f70e8263342f71b0a3cd16

Any direct output into the file of --format spdx results in a panic error.

Examples:

With CVES

docker scout cves busybox:latest --format spdx --output ./any.spdx.json
    ✓ SBOM of image already cached, 0 packages indexed
    ✓ No vulnerable package detected
panic: implement me

goroutine 1 [running]:
github.com/docker/scout-cli-plugin/internal/format/sbom/spdx.(*SPDX).WriteToFile(0x16f8075d1?, {0x4?, 0x101d5b4e0?}, {0x15?, 0x0?}, 0x0?, 0x103d2a980?)
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/format/sbom/spdx/spdx.go:49 +0x2c
github.com/docker/scout-cli-plugin/internal/commands/cves.NewCmd.func2(0x14000bacc00?, {0x1400089bea0?, 0x1?, 0x5?})
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/commands/cves/cves.go:253 +0xa90
github.com/spf13/cobra.(*Command).execute(0x14000bacc00, {0x14000bbe4f0, 0x5, 0x5})
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:940 +0x658
github.com/spf13/cobra.(*Command).ExecuteC(0x14000beb500)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x320
github.com/spf13/cobra.(*Command).Execute(...)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
github.com/docker/cli/cli-plugins/plugin.RunPlugin(0x102bcfbc0?, 0x14000bac300, {{0x101ceeaa3, 0x5}, {0x101d17dc9, 0xb}, {0x140007957c4, 0x6}, {0x101d24b01, 0xc}, ...})
	/home/runner/go/pkg/mod/github.com/docker/[email protected]+incompatible/cli-plugins/plugin/plugin.go:51 +0x13c
main.runPlugin(0x101d9f187?)
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/docker-scout/main.go:29 +0x10c
main.main()
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/docker-scout/main.go:53 +0x130

With SBOM

docker scout sbom busybox:latest --format spdx --output ./any.spdx.json
{"level":"info","msg":"SBOM of image already cached, 0 packages indexed\n","time":"2023-11-21T16:40:31+01:00"}
panic: implement me

goroutine 1 [running]:
github.com/docker/scout-cli-plugin/internal/format/sbom/spdx.(*SPDX).WriteToFile(0x105c0f9d7?, {0x4?, 0x107c4e980?}, {0x14000bfa930?, 0x0?}, 0x0?, 0x0?)
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/format/sbom/spdx/spdx.go:49 +0x2c
github.com/docker/scout-cli-plugin/internal/commands/sbom.NewCmd.func2(0x140009aba00?, {0x14000194e10?, 0x1?, 0x5?})
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/commands/sbom/sbom.go:150 +0x248
github.com/spf13/cobra.(*Command).execute(0x1400013d800, {0x14000bfa8e0, 0x5, 0x5})
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:940 +0x658
github.com/spf13/cobra.(*Command).ExecuteC(0x14000c23800)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x320
github.com/spf13/cobra.(*Command).Execute(...)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
github.com/docker/cli/cli-plugins/plugin.RunPlugin(0x106af3bc0?, 0x1400013c600, {{0x105c12aa3, 0x5}, {0x105c3bdc9, 0xb}, {0x140008896b4, 0x6}, {0x105c48b01, 0xc}, ...})
	/home/runner/go/pkg/mod/github.com/docker/[email protected]+incompatible/cli-plugins/plugin/plugin.go:51 +0x13c
main.runPlugin(0x105cc3187?)
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/docker-scout/main.go:29 +0x10c
main.main()
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/docker-scout/main.go:53 +0x130

Compare/analyze SBOMs

I've run into Docker Scout having issues trying to compare large images in CI:

docker/scout-action#21

...so I'd like Docker Scout to be able to compare SBOMs instead of passing entire/large images around.

What's your thoughts on this?

Image Analyze can't finish

I have an image of 6.2 GB python package. Although when i push it our docker hub account it can analyze the image and show vulnerabilities. But in my local windows machine with 32 GB 10 cpu and 512 GB SSd it says This image couldn't be analyzed it may have an unsupported architecture, or exceed the maximum size. Normally i have pruned almost everything but nothing changes.

Is it possible to use an air-gapped server with Docker Scout?

The server with Docker is Windows and air gapped. Is there any way to use Docker scout because I've noticed at least two things need to happen: 1- login to docker hub 2 - be able to connect to CVE database?

Finding vulnerabilities in python pip packages

It seems docker scout sbom finds pip packages (type pypi).
However security vulnerabilities are not reported for them (for docker scout cves). Is this intentional?

Wrong package version detection for Oracle Linux

I believe 1:3.0.7-25.0.1.el9_3 and 2:3.0.7-25.0.1.ksplice1.el9_3 are the same version.

Same for 2.34-83.0.2.el9_3.12 > 2:2.34-60.0.3.ksplice1.el9_2.7.

There are a few more packages affected by the same issue.

https://hub.docker.com/layers/library/oraclelinux/9-slim/images/sha256-f1bdd3635b56b12302434d86021141aceb1ca51d79457959cc8193922ee206eb?context=repo&tab=vulnerabilities

Confusing results from docker scout cves on the fixed version vs the version exists

We tried executing docker scout cves on one of our docker images and got some confusing findings on the package shown in the screenshot here. We are using the latest non-vulnerable version of the package as you can see from the version numbers (They are exactly the same), but docker scout cves still tells us that the vulnerability still exists.

Any idea as to why is it behaving like that? Is it because of the existence of the revision number in the package version (v2.88.6.0 vs v2.88.6)?

/Asanka

I cannot record an image to an environment (Windows)

Environment:

Windows 11 in a powershell terminal
Docker Desktop v4.26.1
docker scout CLI v1.3.0

How to reproduce:

PS C:\Users\Jerome\WORKDIR\my-tweet-app-docker> docker scout environment production jeromebaude/my-tweet-app-docker:v2 --org jeromebaude
! 'docker scout environment' is experimental and its behaviour might change in the future
v Successfully recorded jeromebaude/my-tweet-app-docker:v2 in environment production

PS C:\Users\Jerome\WORKDIR\my-tweet-app-docker> docker scout environment production --org jeromebaude
! 'docker scout environment' is experimental and its behaviour might change in the future
No image recorded to environment production in organization jeromebaude

What's wrong?

API operation failed error

I've been getting this error for a few days when I run docker scout quickview

    ✓ SBOM of image already cached, 302 packages indexed
ERROR   Status: could not list CVEs for the image: API operation failed: Message: Post "https://api.dso.docker.com/v1/graphql": EOF, Locations: [], Extensions: map[code:request_error], Code: 1

Docker Scout version

version: v1.0.9 (go1.21.3 - darwin/amd64)
git commit: 8bf95bf60d084af341f70e8263342f71b0a3cd16

I'm running docker with Docker Desktop on Macbook Intel.

After update of Docker Desktop (4.27.0), cant scan any local image anymore

Hello everyone,

since I updated Docker Desktop to the latest version, seems that something on Docker Scout got broken, while scanning local Images.

Here are my versions:

I am using WSL2 updated to the latest pre-release.

EDIT:
In Windows Powershell it seems to work:

docker-scout in Jenkins is getting permission denied error

Jenkins is running on a Amazon Linux EC2 (Linux xxx-xxx 4.18.0-513.9.1.el8_9.x86_64 #1 SMP Thu Nov 16 10:29:04 EST 2023 x86_64 x86_64 x86_64 GNU/Linux)
Jenikins version is 2.426.1
Docker Version: docker -v
Docker version 24.0.7, build afdd53b
which docker
/usr/bin/docker

docker running as root

 ps -elf | grep docker
4 S root        1536       1  0  80   0 - 474532 -     07:00 ?        00:00:05 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

jenkins running as user jenkins

ps -elf | grep jenkins
4 S jenkins     1036       1  1  80   0 - 3546677 -    07:00 ?        00:04:07 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/java/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080

        stage('Analyze image') {
            steps {
                // Install Docker Scout
                sh 'curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b .'
                sh 'chmod 777 ./docker-scout'

                // Log into Docker Hub
                sh 'echo $DOCKERHUB_CREDENTIALS_PSW | docker login -u $DOCKERHUB_CREDENTIALS_USR --password-stdin'

                // Analyze and fail on critical or high vulnerabilities
                sh "./docker-scout cves $IMAGE_TAG --exit-code --only-severity critical,high"
            }
        }

Jenkins Log:

+ docker login -u my-login-id --password-stdin
WARNING! Your password will be stored unencrypted in /var/lib/jenkins/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[Pipeline] sh
+ ./docker-scout cves ubi8-minimal-openjdk8-perl:8.9 --exit-code --only-severity critical,high
    ...Storing image for indexing
    ! lstat /tmp/docker-scout/sha256: permission denied
    ! failed to delete temporary image archive /tmp/docker-scout/sha256/7bd9a25030474cd4b22918a6fa769277542107195cb647f749d7543a375942f8/6d7f770b-bb61-4c02-8658-a23f819f570f: open /tmp/docker-scout/sha256/7bd9a25030474cd4b22918a6fa769277542107195cb647f749d7543a375942f8: permission denied�[31mERROR  �[0m Status: could not get the image ubi8-minimal-openjdk8-perl:8.9 from cache: failed to copy image: mkdir /tmp/docker-scout/sha256: permission denied, Code: 1

docker scout doesn't use proxy settings

Hello everyone!

I'm using proxy to requests to github.com and docker resources on my docker host.

When i'm using docker scout, all requests sending without proxy and gives me the message about login.

docker login working correctly and sending requests through proxy, but docker scout doesn't.

user@host:$ docker scout version
version: v1.3.0 (go1.21.3 - linux/amd64)
git commit: 1934037f9d1cd0875cd2e5817cb19545d446cbf5
user@host:~/.docker$ docker login
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /home/secadm/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
user@host:~/.docker$ docker scout cves drenderyga/nginx_vuln_test:latest
Log in with your Docker ID or email address to use docker scout.

If you don't have a Docker ID, head over to https://hub.docker.com to
create one. You can log in with your password or a Personal Access Token (PAT)
by running docker login.
Using a limited-scope PAT grants better security and is required for organizations
using SSO. Learn more at https://docs.docker.com/go/access-tokens/

You can also log in using Docker Desktop.

on fw i see requests without proxy

Inconsistent purl mapping in SARIF output from CVE scan

When an image contains two different versions of the same package (eg. [email protected] and [email protected]) that contain the same CVEs, and you run the following command:

docker scout cves --locations --format sarif --output report.json <image name>

the SARIF output will look something like the following (some properties omitted):

{
  "runs": [
    {
      "tool": {
        "driver": {
          "rules": [
            {
              "id": "CVE-2020-8908",
              "properties": {
                "purl": "pkg:maven/com.google.guava/[email protected]",
              }
            }
          ],
        },
      },
      "results": [
        {
          "ruleId": "CVE-2020-8908",
          "ruleIndex": 0,
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "/home/atcloud/.gradle/wrapper/dists/gradle-8.3-bin/dxjbbhstwasg8cbags9q7cvli/gradle-8.3-bin.zip:gradle-8.3/lib/guava-31.0-jre.jar"
                }
              }
            }
          ]
        },
        {
          "ruleId": "CVE-2020-8908",
          "ruleIndex": 0,
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "/home/atcloud/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-gradle-plugin/1.8.22/35314735f9b890dd8192307a3894e5556b08031e/kotlin-gradle-plugin-1.8.22-gradle76.jar:guava-29.0-jre"
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

The issue is that the relationship between the rule (ie. CVE) and the purl is one-to-one in this output, when really a CVE can be present in more than one purl (in this case pkg:maven/com.google.guava/[email protected] and pkg:maven/com.google.guava/[email protected]).

The other problem is that the purl in the rule properties seems to be chosen at random leading to inconsistent results. In this example, when the scan is run multiple times, sometimes it picks [email protected] and other times it picks [email protected]. This inconsistency is exacerbated when the packages contain more than one CVE and some of the purls are one version, and others are the other version.

Docker scout is misreading base image version number

I just started looking into docker scout and ran it over one of my Golang based images and found an issue that could be blocking if run in a CI/CD pipeline.

it can be reproduced with this dockerfile

FROM golang:1.21-alpine
WORKDIR /app
RUN echo foo > bar.txt
ENTRYPOINT [ "sh", "cat", "/app/bar.txt" ]

As of today (2024-01-09) 1.21-alpine is the latest tag, this is important.

Then use the following command to build an image:

docker build --pull --force-rm -t test_scout:latest .

And finally run docker scout to check for any vulnerability with its various options:
First, out of precaution, clear docker scout's cache with docker scout cache prune --sboms

$ docker scout cache prune --sboms        
? Are you sure you want to delete all temporary data and all cached SBOMs? Yes
    ✓ Temporary data deleted
    ✓ Cached SBOMs deleted

Then docker scout quickview test_scout:latest gives:

$ docker scout quickview test_scout:latest
    ✓ Image stored for indexing
    ✓ Indexed 41 packages

  Target             │  test_scout:latest   │    0C     0H     0M     0L   
    digest           │  ae018a575642        │                              
  Base image         │  golang:1-alpine     │    0C     0H     0M     0L   
  Updated base image │  golang:1.20-alpine  │    0C     0H     0M     0L   
                     │                      │                              

What's Next?
  View base image update recommendations → docker scout recommendations test_scout:latest
  Include policy results in your quickview by supplying an organization → docker scout quickview test_scout:latest --org <organization>

And docker scout recommendations test_scout:latest gives:

$ docker scout recommendations test_scout:latest
    ✓ SBOM of image already cached, 41 packages indexed

  Target   │  test_scout:latest   
    digest │  ae018a575642        

## Recommended fixes

  Base image is  golang:1-alpine 

  Name            │  1-alpine                                                                  
  Digest          │  sha256:c56d095992c4857b6cf532808dc847d50d24fe0fc7be1cdc0beacc7ad3da9f1b   
  Vulnerabilities │    0C     0H     0M     0L                                                 
  Pushed          │ 2 weeks ago                                                                
  Size            │ 68 MB                                                                      
  Packages        │ 41                                                                         
  Flavor          │ alpine                                                                     
  OS              │ 3.19                                                                       

                                                                                                                                                                         
  │ The base image is also available under the supported tag(s)  1-alpine3.19 ,  1.21-alpine ,  1.21-alpine3.19 ,  1.21.5-alpine ,  1.21.5-alpine3.19 ,  alpine ,  alpine3.19
  .                                                                                                                                                                      
  │ If you want to display recommendations specifically for a different tag, please re-run the command using the  --tag  flag.                                            



Refresh base image
  Rebuild the image using a newer base image version. Updating this may result in breaking changes.

  ✓ This image version is up to date.


Change base image
  The list displays new recommended tags in descending order, where the top results are rated as most suitable.


              Tag              │                               Details                                │   Pushed    │       Vulnerabilities        
───────────────────────────────┼──────────────────────────────────────────────────────────────────────┼─────────────┼──────────────────────────────
   1.20-alpine                 │ Benefits:                                                            │ 1 month ago │    0C     0H     0M     0L   
  Minor runtime version update │ • Same OS detected                                                   │             │                              
  Also known as:               │ • Minor runtime version update                                       │             │                              
  • 1.20.12-alpine             │ • Image has same number of vulnerabilities                           │             │                              
  • 1.20.12-alpine3.19         │ • Image contains similar number of packages                          │             │                              
  • 1.20-alpine3.19            │ • 1.20-alpine is the third most popular tag with 11K pulls per month │             │                              
                               │                                                                      │             │                              
                               │ Image details:                                                       │             │                              
                               │ • Size: 100 MB                                                       │             │                              
                               │ • Flavor: alpine                                                     │             │                              
                               │ • OS: 3.19                                                           │             │                              
                               │ • Runtime: 1.20.12                                                   │             │                              
                               │                                                                      │             │                              
                               │                                                                      │             │                              
                               │                                                                      │             │

From what I read here (or maybe I misinterpreting the result), docker scout seems to suggest I should 'change' my base image to 1.20-alpine which is older than the 1.21-alpine I use. To me this could create false positives in CI/CD contexts and exceptions to document when we are dealing with customers requesting image audits.

[error] docker is not installed; refusing to install to '/root/.docker/cli-plugins'

While Installing Docker Scout on GitLab, it is showing the below error.
I think, in install.sh you need to add one more line to create .docker directory.
Because, when I created .docker file manually which was not present earlier. It was working fine.

Analyzing non-images

Scout knows how to analyze things like Go binaries, Java's .jar files, node_modules, etc. However, it also (reasonably) assumes the input is a container image in one of a variety of formats, so you can't really analyze something like a Go binary directly without first packing it up in a tarball and adding a bunch of unnecessary JSON metadata so you can pretend it's an image. It would be really neat if we could pass in a file or a directory that isn't container related, and have it perform similar analysis as it would if the thing passed in existed inside a container image instead. 😄

docker cli format markdown bug

Docker CLI Command
docker scout cves --type image --format markdown --output ubuntu.md ubuntu

Output:

 docker scout cves --type image --format markdown  --output ubuntu.md ubuntu
INFO New version 0.22.3 available (installed version is 0.20.0)

 Display CVEs identified in a software artifact

Usage
  docker scout cves [OPTIONS] [IMAGE|DIRECTORY|ARCHIVE]

Description
The docker scout cves command analyzes a software artifact for vulnerabilities.

If no image is specified, the most recently built image is used.

The following artifact types are supported:

- Images
- OCI layout directories
- Tarball archives, as created by docker save

The tool analyzes the provided software artifact, and generates a vulnerability report.

By default, the tool expects an image reference, such as:

- redis
- curlimages/curl:7.87.0
- mcr.microsoft.com/dotnet/runtime:7.0

If the artifact you want to analyze is an OCI directory or a tarball archive, you must use the --type flag.



Flags
      --details                     Print details on default text output
  -e, --exit-code                   Return exit code '2' if vulnerabilities are detected
      --format string               Output format of the generated vulnerability report:
                                    - packages: default output, plain text with vulnerabilities grouped by packages
                                    - sarif: json Sarif output
                                    - markdown: markdown output
                                     (default "packages")
      --ignore-base                 Filter out CVEs introduced from base image
      --locations                   Print package locations including file paths and layer diff_id
      --multi-stage                 Show packages from multi-stage Docker builds
      --only-cve-id strings         Comma separated list of CVE ids (like CVE-2021-45105) to search for
      --only-fixed                  Filter to fixable CVEs
      --only-package-type strings   Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
      --only-severity strings       Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
      --only-stage strings          Comma separated list of multi-stage Docker build stage names
      --only-unfixed                Filter to unfixed CVEs
  -o, --output string               Write the report to a file.
      --platform string             Platform of image to analyze
      --ref string                  Reference to use if the provided tarball contains multiple references.
                                    Can only be used with --type archive.
      --type string                 Type of the image to analyze. Can be one of:
                                    - image
                                    - oci-dir
                                    - archive (docker save tarball)
                                     (default "image")

Examples
  Display vulnerabilities for the most recently built image
  $ docker scout cves

  Display vulnerabilities grouped by package
  $ docker scout cves alpine

  Display vulnerabilities from a docker save tarball
  $ docker save alpine > alpine.tar
  $ docker scout cves --type archive alpine.tar

  Display vulnerabilities from an OCI directory
  $ skopeo copy --override-os linux docker://alpine oci:alpine
  $ docker scout cves --type oci-dir alpine

  Export vulnerabilities to a SARIF JSON file
  $ docker scout cves --format sarif --output alpine.sarif.json alpine

Learn More
  Read docker scout cli reference at https://docs.docker.com/engine/reference/commandline/scout/

ERROR   Status: please provide a valid format, Code: 1

Multiple formats for CVE scan

I'd like to create stdout, SARIF and markdown reports in the same CVE scan - currently if I want all three formats, I have to run docker scout cves --format <format> three separate times.

Having all the formats created in the same run would greatly improve the efficiency of that workflow.

version: 0.24.1 (go1.21.0 - darwin/arm64)
git commit: 67cb4ef78bd69545af0e223ba5fb577b27094505

Docker scout false positive on [email protected]

Description

Docker scout treats [email protected] as vulnerable and reports that 4.0 has fixed the issue. But the CVE fix has been backported to 3.6.10 which is described in the CVE report in docker scout itself:

https://scout.docker.com/vulnerabilities/id/CVE-2016-2141/org/axonivy

JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors. Fixes for this issue have been backported to versions 3.6.10.Final and 3.2.16.Final.

Reproduce

Add jgroups 3.6.20 to the image and analyze it with docker scout.

Expected behavior

jgroups 3.6.20 should not be reported as vulnerable

docker version

not important

docker info

not important

Additional Info

No response

SBOM command with `-o` flag logs progress in JSON lines

When exporting an SBOM to a file with the--output flag, the log output is printed as raw json lines in the terminal.

docker scout sbom --format spdx -o sbom.spdx.json docker/scout-cli:latest
{"level":"info","msg":"SBOM of image already cached, 250 packages indexed\n","time":"2024-02-14T14:22:08+01:00"}
{"level":"info","msg":"Report written to sbom.spdx.json\n","time":"2024-02-14T14:22:08+01:00"}

I guess it should look the same as for the other commands, e.g.

docker scout quickview docker/scout-cli:latest
    ✓ SBOM of image already cached, 250 packages indexed

Non-JSON output with `--format sarif`

Issue

The following command does not output JSON-only in STDOUT:

$ docker scout cves --format sarif nginx:1.8-alpine 2>/dev/null

Diagnostic

The above command outputs a "What's next" message that breaks the JSON output making it hard to parse with traditional tools:

$ docker scout cves --format sarif nginx:1.8-alpine 2>/dev/null | tail          ]
        }
      ]
    }
  ]
}

What's Next?
  View base image update recommendations → docker scout recommendations nginx:1.8-alpine

Possible fix

This message should be output in STDERR, just like the other "general messages".

I know it is possible to use --output flag, but I would prefer using STDOUT directly instead of having to manage temporary files.

(I have the latest version, the source code looks closed, so I cannot really dig further myself)

panic: runtime error: index out of range [0] with length 0

❯ docker scout version

      ⢀⢀⢀             ⣀⣀⡤⣔⢖⣖⢽⢝
   ⡠⡢⡣⡣⡣⡣⡣⡣⡢⡀    ⢀⣠⢴⡲⣫⡺⣜⢞⢮⡳⡵⡹⡅
  ⡜⡜⡜⡜⡜⡜⠜⠈⠈        ⠁⠙⠮⣺⡪⡯⣺⡪⡯⣺
 ⢘⢜⢜⢜⢜⠜               ⠈⠪⡳⡵⣹⡪⠇
 ⠨⡪⡪⡪⠂    ⢀⡤⣖⢽⡹⣝⡝⣖⢤⡀    ⠘⢝⢮⡚       _____                 _
  ⠱⡱⠁    ⡴⡫⣞⢮⡳⣝⢮⡺⣪⡳⣝⢦    ⠘⡵⠁      / ____| Docker        | |
   ⠁    ⣸⢝⣕⢗⡵⣝⢮⡳⣝⢮⡺⣪⡳⣣    ⠁      | (___   ___ ___  _   _| |_
        ⣗⣝⢮⡳⣝⢮⡳⣝⢮⡳⣝⢮⢮⡳            \___ \ / __/ _ \| | | | __|
   ⢀    ⢱⡳⡵⣹⡪⡳⣝⢮⡳⣝⢮⡳⡣⡏    ⡀       ____) | (_| (_) | |_| | |_
  ⢀⢾⠄    ⠫⣞⢮⡺⣝⢮⡳⣝⢮⡳⣝⠝    ⢠⢣⢂     |_____/ \___\___/ \__,_|\__|
  ⡼⣕⢗⡄    ⠈⠓⠝⢮⡳⣝⠮⠳⠙     ⢠⢢⢣⢣
 ⢰⡫⡮⡳⣝⢦⡀              ⢀⢔⢕⢕⢕⢕⠅
 ⡯⣎⢯⡺⣪⡳⣝⢖⣄⣀        ⡀⡠⡢⡣⡣⡣⡣⡣⡃
⢸⢝⢮⡳⣝⢮⡺⣪⡳⠕⠗⠉⠁    ⠘⠜⡜⡜⡜⡜⡜⡜⠜⠈
⡯⡳⠳⠝⠊⠓⠉             ⠈⠈⠈⠈



version: 0.24.1 (go1.21.0 - darwin/arm64)
git commit: 67cb4ef78bd69545af0e223ba5fb577b27094505

❯ docker scout quickview
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/docker/scout-cli-plugin/internal/dockercli.(*Store).GetNewest(0x14000dea750, {0x104e249e0, 0x14000df2720})
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/dockercli/localstore.go:144 +0x718
github.com/docker/scout-cli-plugin/images.(*ImgService).GetNewest(0x14000490240, {0x104e249e0, 0x14000df2720})
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/images/images.go:181 +0x40
github.com/docker/scout-cli-plugin/sbom.(*Service).FromNewestImage(0x14000490260, {0x104e249e0, 0x14000df2720})
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/sbom/sbom.go:267 +0x38
github.com/docker/scout-cli-plugin/sbom.(*Service).Get(0x1400117f9c8?, {0x104e249e0?, 0x14000df2720?}, {0x0?, 0x104af4cc0?}, {0x10408041f?, 0x1400117f898?}, {0x0?, 0xff?}, {0x0?, ...})
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/sbom/sbom.go:74 +0x16c
github.com/docker/scout-cli-plugin/internal/commands/quickview.NewCmd.func2(0x14000bf8c00?, {0x105e7f0c0?, 0x0?, 0x0?})
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/commands/quickview/quickview.go:123 +0x3d8
github.com/spf13/cobra.(*Command).execute(0x14000bf8c00, {0x1400048c570, 0x0, 0x0})
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:940 +0x658
github.com/spf13/cobra.(*Command).ExecuteC(0x14000ce0300)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x320
github.com/spf13/cobra.(*Command).Execute(...)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
github.com/docker/cli/cli-plugins/plugin.RunPlugin(0x104e32aa0?, 0x14000bf8000, {{0x10408015e, 0x5}, {0x1040a8187, 0xb}, {0x1049bb6b0, 0x6}, {0x0, 0x0}, ...})
	/home/runner/go/pkg/mod/github.com/docker/[email protected]+incompatible/cli-plugins/plugin/plugin.go:51 +0x13c
main.runPlugin(0x104128215?)
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/docker-scout/main.go:29 +0xd8
main.main()
	/home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/docker-scout/main.go:52 +0x130

I am running this on a scratch image, which I know makes no sense. My guess is this is what is causing the issue.

Tasks

Beta Give feedback

No tasks being tracked yet.

Options

docker scout fails on aarch64

Hi,

I tried to apply a few commands from the official documentation, and it failed:

 docker scout cves alpine
    ✓ Pulled
    ✓ Image stored for indexing
    ✓ Indexed 19 packages
panic: interface conversion: interface {} is nil, not float64

goroutine 1 [running]:
github.com/docker/scout-cli-plugin/internal/dso.handleError({0x0, 0x0}, {0x25a6100?, 0x4000ffa0a8?})
        /home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/dso/dso.go:750 +0x364
github.com/docker/scout-cli-plugin/internal/dso.(*DSO).CVEs(0x400027a860, {0x25b8500, 0x4000351dd0}, 0x20?)
        /home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/dso/dso.go:75 +0x1b4
github.com/docker/scout-cli-plugin/cves.(*Lister).FromSBOM(0x4000a20710, {0x25b8500, 0x4000351dd0}, _, {{0x3759440, 0x0, 0x0}, {0x3759440, 0x0, 0x0}, ...})
        /home/runner/work/scout-cli-plugin/scout-cli-plugin/cves/cves.go:70 +0x44
github.com/docker/scout-cli-plugin/internal/commands/cves.NewCmd.func2(0x400014f500?, {0x4000a216e0?, 0x1?, 0x1?})
        /home/runner/work/scout-cli-plugin/scout-cli-plugin/internal/commands/cves/cves.go:232 +0x80c
github.com/spf13/cobra.(*Command).execute(0x400014f500, {0x4000350d10, 0x1, 0x1})
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:983 +0x82c
github.com/spf13/cobra.(*Command).ExecuteC(0x4000ad0000)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1115 +0x344
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1039
github.com/docker/cli/cli-plugins/plugin.RunPlugin(0x25c8d00?, 0x400014e900, {{0x1b7ec70, 0x5}, {0x1ba8287, 0xb}, {0x4000983ee4, 0x6}, {0x1bb51ae, 0xc}, ...})
        /home/runner/go/pkg/mod/github.com/docker/[email protected]+incompatible/cli-plugins/plugin/plugin.go:51 +0x13c
main.runPlugin(0x1c388ae?)
        /home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/docker-scout/main.go:29 +0x10c
main.main()
        /home/runner/work/scout-cli-plugin/scout-cli-plugin/cmd/docker-scout/main.go:53 +0x130

docker scout version

      ⢀⢀⢀             ⣀⣀⡤⣔⢖⣖⢽⢝
   ⡠⡢⡣⡣⡣⡣⡣⡣⡢⡀    ⢀⣠⢴⡲⣫⡺⣜⢞⢮⡳⡵⡹⡅
  ⡜⡜⡜⡜⡜⡜⠜⠈⠈        ⠁⠙⠮⣺⡪⡯⣺⡪⡯⣺
 ⢘⢜⢜⢜⢜⠜               ⠈⠪⡳⡵⣹⡪⠇
 ⠨⡪⡪⡪⠂    ⢀⡤⣖⢽⡹⣝⡝⣖⢤⡀    ⠘⢝⢮⡚       _____                 _
  ⠱⡱⠁    ⡴⡫⣞⢮⡳⣝⢮⡺⣪⡳⣝⢦    ⠘⡵⠁      / ____| Docker        | |
   ⠁    ⣸⢝⣕⢗⡵⣝⢮⡳⣝⢮⡺⣪⡳⣣    ⠁      | (___   ___ ___  _   _| |_
        ⣗⣝⢮⡳⣝⢮⡳⣝⢮⡳⣝⢮⢮⡳            \___ \ / __/ _ \| | | | __|
   ⢀    ⢱⡳⡵⣹⡪⡳⣝⢮⡳⣝⢮⡳⡣⡏    ⡀       ____) | (_| (_) | |_| | |_
  ⢀⢾⠄    ⠫⣞⢮⡺⣝⢮⡳⣝⢮⡳⣝⠝    ⢠⢣⢂     |_____/ \___\___/ \__,_|\__|
  ⡼⣕⢗⡄    ⠈⠓⠝⢮⡳⣝⠮⠳⠙     ⢠⢢⢣⢣
 ⢰⡫⡮⡳⣝⢦⡀              ⢀⢔⢕⢕⢕⢕⠅
 ⡯⣎⢯⡺⣪⡳⣝⢖⣄⣀        ⡀⡠⡢⡣⡣⡣⡣⡣⡃
⢸⢝⢮⡳⣝⢮⡺⣪⡳⠕⠗⠉⠁    ⠘⠜⡜⡜⡜⡜⡜⡜⠜⠈
⡯⡳⠳⠝⠊⠓⠉             ⠈⠈⠈⠈



version: v1.3.0 (go1.21.3 - linux/arm64)
git commit: 1934037f9d1cd0875cd2e5817cb19545d446cbf5

cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS"
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Docker scout is not beeing found ater running the install script in azure pipelines

Hey guys,

i followed your guide on the docker website. But when trying to run docker scout i get the error "docker 'scout' is not a docker command". And when i try to use the downloaded exectuable ~/.docker/cli-plugins/docker-scout i get the message that i should login into Dockerhub first even though i tried it over the pipeline with the command docker login and with the serviceconnection from azure itself.

docker scout could not get the image from cache

Running scout through GitLab CI and am getting the following ->

...Storing image for indexing
ERROR Status: could not get the image ********* from cache: failed to copy image: failed to create new image source: unable to load image: could not read image: open /tmp/docker-scout/sha256/d3d42c7a4abaec6d33dd564208188cd7a43e11ff2b42e687db45117acd4bdf59/197066d1-0b96-46d8-92c9-5e3f87cda038/blobs/sha256/d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820: no such file or directory, Code: 1
Cleaning up project directory and file based variables
ERROR: Job failed: exit status 1

scout version=1.3.0
GitLab-runner version=16.8.0
Debian 12
100G volume with 85G free

CI code ->

  image: docker:latest
  stage: docker
  services:
    - docker:dind
  before_script:
    # Install curl and the Docker Scout CLI
    - curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- 
    - docker login -u $DOCKERHUB_USERNAME -p $DOCKERHUB_PASSWORD  
  rules:
    - if: $CI_COMMIT_BRANCH =~ /^(master|main|development|dockerfile-update)$/ && $DOCKER_REPO
  script:
    - docker build --build-arg FONTAWESOME_TOKEN=$FONTAWESOME_TOKEN --build-arg SENTRY_AUTH_TOKEN:$SENTRY_AUTH_TOKEN -t $DOCKER_REPO:$CI_COMMIT_REF_NAME .
    - |
      if [[ $GITLAB_USER_ID != 1 ]]; then
        # Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
        docker scout cves "$DOCKER_REPO:$CI_COMMIT_REF_NAME" --only-severity critical,high --exit-code 
      fi
    - docker push $DOCKER_REPO:$CI_COMMIT_REF_NAME```
    
 Before this it just used to fail at ->
 ``    ...Storing image for indexing` with exit code 1

Docker Scout does not honor Chainguard's advisory data/secdb

As the owner of its own distro, Chainguard maintains advisory data that captures the results of investigations into potential vulnerabilities. This includes cases where Chainguard determines a vulnerability to be a false positive.

Chainguard publishes guidance for vulnerability scanner integration here. Scanners are expected to honor Chainguard's advisory data, including these "false positive" designations, so that the vulnerability report output from supported scanners is as accurate as possible.

Even though the Docker docs show that both the Wolfi (open source) and Chainguard (commercial) advisory feeds are used by Docker Scout, it appears that Docker Scout does not correctly implement support for our false positive data in all cases. According to this output, when Docker Scout finds matches to language ecosystem (e.g. NPM) packages, Docker Scout doesn't correctly suppress the result when these matches are noted in Chainguard's secdb as false positives.

This means Docker Scout fails to meet an expectation defined in Chainguard's Vulnerability Scanner Support docs, specifically on this page, item 4a.

Please let us know when integration with the Wolfi and Chainguard secdb data is planned.

Change release names so that they can be matched with uname

Trying to write a script to check and download scout, and to make it somewhat portable I would like to do this:

SCOUT_REPO_VERSION=$(curl -s https://api.github.com/repos/docker/scout-cli/releases/latest | grep 'tag_name' | cut -d '"' -f4)
curl -L "https://github.com/docker/scout-cli/releases/download/${SCOUT_REPO_VERSION}/docker-scout_${SCOUT_REPO_VERSION}_$(uname -s)_$(uname -m).tar.gz" --create-dirs -o "/tmp/docker-scout/docker-scout.tar.gz"

But the releases aren't named in a way where uname works, so instead I have to do the below, and hardcode the kernel name and the machine hardware name:

SCOUT_REPO_VERSION=$(curl -s https://api.github.com/repos/docker/scout-cli/releases/latest | grep 'tag_name' | cut -d '"' -f4)
curl -L "https://github.com/docker/scout-cli/releases/download/${SCOUT_REPO_VERSION}/docker-scout_${SCOUT_REPO_VERSION/v/}_linux_amd64.tar.gz" --create-dirs -o "/tmp/docker-scout/docker-scout.tar.gz"

As a reference, the way docker/compose publishes releases works pretty well with uname: https://github.com/docker/compose/releases

Tasks

Beta Give feedback

No tasks being tracked yet.

Options

Docker login no credential foun error only when run --it

sudo docker login docker.io
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
sudo docker run -it --rm --name docker-scout docker/scout-cli qv repo/image
ERROR   Status: please login using Docker Desktop or 'docker login' command: no credential found for "index.docker.io", Code: 1

No clue whats going on, any suggestions?

Wrong base image name / recommendation with provenance

With an image defined with: FROM ubuntu:jammy with associated provenance.

Using docker scout recommendations name of the base image is wrong, here jammy-20230804 instead of jammy
Recommended base image is lunar.

Using docker scout quickview, the recommended updated base image is 23.10.

Expected:

on recommendations: use the tag name from the provenance, here jammy
on quickview: use the same recommended base image as for recommendations

Seeing "panic: runtime error" when attempting to get policy results with the "wrong" org set

Repro

docker scout config organization [orgA]
docker scout policy [image] --platform linux/amd64 (where image is in orgB)

Ok scenario

docker scout config organization [orgB]
docker scout policy [image] --platform linux/amd64 (where image is in orgB)

SARIF output from CVE scan is broken when overwriting an existing file

Say I run the following command on an image with lots of vulnerable components:

docker scout cves --locations --format sarif --output report.json <image name>

A large report will be written to report.json. Then I tidy up some of the vulnerabilities and run the same command again, I'd expect a smaller report in report.json, but instead I get an invalid JSON document.

It seems like the smaller report is being written to the first n lines of report.json, but anything afterwards that already exists in report.json is also being kept, which leads to the JSON document being invalid and any tooling that parses the report.json file to break.

version: 0.24.1 (go1.21.0 - darwin/arm64)
git commit: 67cb4ef78bd69545af0e223ba5fb577b27094505

add Chainguard secdb to docker scout advisory feed

Description

scout already supports the open source Wolfi security feed. But Chainguard also has a second feed for commercial packages. Please consider adding this feed to the scout advisory feed

https://packages.cgr.dev/chainguard/security.json

Scanning archives with --type fail

Hello everyone,

I have pipelines, that put the build images into a *.tar archive, and these archive will be scanned on another step.

Seems that the --type archive is gone and all my pipelines fail with an error.

Ist this a wanted behaviour?

This has been running for weeks and failed today the first time.

New version prompt should have a link to this repository

The CLI prompt for when there's a new plugin version should link here so that users can upgrade.

$ docker scout quickview
INFO New version 0.20.0 available (installed version is 0.16.1)

Vulnerable artifact locations not included in CVE scan markdown report

When I run the following command to create a markdown vulnerability report:

docker scout cves --locations --format markdown --output report.md <image>

The vulnerable artifact locations are not included in the markdown report. Having them in the report makes it much easier to identify and remediate the vulnerable components, so it would be great if they were included!

version: 0.24.1 (go1.21.0 - darwin/arm64)
git commit: 67cb4ef78bd69545af0e223ba5fb577b27094505

docker / scout-cli Goto Github PK

scout-cli's Introduction

Docker Scout

Usage

Environment Variables

CLI Plugin Installation

Docker Desktop

Manual Installation

Script Installation

Run as container

CI Integration

GitHub Action

GitLab

CircleCI

Microsoft Azure DevOps Pipelines

Jenkins

Bitbucket

License

scout-cli's People

Contributors

Stargazers

Watchers

Forkers

scout-cli's Issues

Update: Steps to reproduce

Description

Reproduce

Expected behavior

docker version

docker info

Additional Info

Issue

Diagnostic

Possible fix

Tasks

Tasks

Description

Recommend Projects

Recommend Topics

Recommend Org