scout-cli/docs/docker_scout_compare.yaml at f4d7038cfa6777624aad5e2e22c5b308cfe9632e · docker/scout-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
command: docker scout compare
aliases: docker scout compare, docker scout diff
short: Compare two images and display differences (experimental)
long: |-
    The `docker scout compare` command analyzes two images and displays a comparison.

    > This command is **experimental** and its behaviour might change in the future

    The intended use of this command is to compare two versions of the same image.
    For instance, when a new image is built and compared to the version running in production.

    If no image is specified, the most recently built image is used
    as a comparison target.

    The following artifact types are supported:

    - Images
    - OCI layout directories
    - Tarball archives, as created by `docker save`
    - Local directory or file

    By default, the tool expects an image reference, such as:

    - `redis`
    - `curlimages/curl:7.87.0`
    - `mcr.microsoft.com/dotnet/runtime:7.0`

    If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory,
    or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:

    - `image://` (default) use a local image, or fall back to a registry lookup
    - `local://` use an image from the local image store (don't do a registry lookup)
    - `registry://` use an image from a registry (don't use a local image)
    - `oci-dir://` use an OCI layout directory
    - `archive://` use a tarball archive, as created by `docker save`
    - `fs://` use a local directory or file
    - `sbom://` SPDX file or in-toto attestation file with SPDX predicate or `syft` json SBOM file
usage: docker scout compare --to IMAGE|DIRECTORY|ARCHIVE [IMAGE|DIRECTORY|ARCHIVE]
pname: docker scout
plink: docker_scout.yaml
options:
    - option: exit-code
      shorthand: e
      value_type: bool
      default_value: "false"
      description: Return exit code '2' if vulnerability changes are detected
      deprecated: true
      hidden: true
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: exit-on
      shorthand: x
      value_type: stringSlice
      default_value: '[]'
      description: |
        Comma separated list of conditions to fail the action step if worse or changed, options are: vulnerability, policy, package
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: format
      value_type: string
      default_value: text
      description: |-
        Output format of the generated vulnerability report:
        - text: default output, plain text with or without colors depending on the terminal
        - markdown: Markdown output
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: hide-policies
      value_type: bool
      default_value: "false"
      description: Hide policy status from the output
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: ignore-base
      value_type: bool
      default_value: "false"
      description: Filter out CVEs introduced from base image
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: ignore-suppressed
      value_type: bool
      default_value: "false"
      description: |
        Filter CVEs found in Scout exceptions based on the specified exception scope
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: ignore-unchanged
      value_type: bool
      default_value: "false"
      description: Filter out unchanged packages
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: multi-stage
      value_type: bool
      default_value: "false"
      description: Show packages from multi-stage Docker builds
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-fixed
      value_type: bool
      default_value: "false"
      description: Filter to fixable CVEs
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-package-type
      value_type: stringSlice
      default_value: '[]'
      description: |
        Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-policy
      value_type: stringSlice
      default_value: '[]'
      description: Comma separated list of policies to evaluate
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-severity
      value_type: stringSlice
      default_value: '[]'
      description: |
        Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-stage
      value_type: stringSlice
      default_value: '[]'
      description: Comma separated list of multi-stage Docker build stage names
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-unfixed
      value_type: bool
      default_value: "false"
      description: Filter to unfixed CVEs
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-vex-affected
      value_type: bool
      default_value: "false"
      description: Filter CVEs by VEX statements with status not affected
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: org
      value_type: string
      description: Namespace of the Docker organization
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: output
      shorthand: o
      value_type: string
      description: Write the report to a file
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: platform
      value_type: string
      description: Platform of image to analyze
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: ref
      value_type: string
      description: |-
        Reference to use if the provided tarball contains multiple references.
        Can only be used with archive
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: to
      value_type: string
      description: Image, directory, or archive to compare to
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: to-env
      value_type: string
      description: Name of environment to compare to
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: to-latest
      value_type: bool
      default_value: "false"
      description: Latest image processed to compare to
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: to-ref
      value_type: string
      description: |-
        Reference to use if the provided tarball contains multiple references.
        Can only be used with archive.
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: to-stream
      value_type: string
      description: Name of stream to compare to
      deprecated: true
      hidden: true
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: vex
      value_type: bool
      default_value: "false"
      description: Apply VEX statements to filter CVEs
      deprecated: true
      hidden: true
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: vex-author
      value_type: stringSlice
      default_value: '[<.*@docker.com>]'
      description: List of VEX statement authors to accept
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: vex-location
      value_type: stringSlice
      default_value: '[]'
      description: File location of directory or file containing VEX statements
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
inherited_options:
    - option: debug
      value_type: bool
      default_value: "false"
      description: Debug messages
      deprecated: false
      hidden: true
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: verbose-debug
      value_type: bool
      default_value: "false"
      description: Verbose debug
      deprecated: false
      hidden: true
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
examples: |-
    ### Compare the most recently built image to the latest tag

    ```console
    $ docker scout compare --to namespace/repo:latest
    ```

    ### Compare local build to the same tag from the registry

    ```console
    $ docker scout compare local://namespace/repo:latest --to registry://namespace/repo:latest
    ```

    ### Ignore base images

    ```console
    $ docker scout compare --ignore-base --to namespace/repo:latest namespace/repo:v1.2.3-pre
    ```

    ### Generate a markdown output

    ```console
    $ docker scout compare --format markdown --to namespace/repo:latest namespace/repo:v1.2.3-pre
    ```

    ### Only compare maven packages and only display critical vulnerabilities for maven packages

    ```console
    $ docker scout compare --only-package-type maven --only-severity critical --to namespace/repo:latest namespace/repo:v1.2.3-pre
    ```

    ### Show all policy results for both images

    ```console
    docker scout compare --to namespace/repo:latest namespace/repo:v1.2.3-pre
    ```
deprecated: false
experimental: false
experimentalcli: true
kubernetes: false
swarm: false