v1.16.0

What's Changed

• Add secret scanning to sbom command by @cdupuis
• Keep original pattern to find nested matches too by @cdupuis
• Make licenses unqiue by @cdupuis
• Print platform in markdown output by @cdupuis
• Normalize licenses using spdx license list by @cdupuis
• Updates to make spdx output spec compliant by @cdupuis
• Check dir exists before creating temp file by @chrispatrick
• Update Go, crypto module and alpine by @cdupuis
• Add support for attestations for images from Tanzu Application Catalog by @cdupuis
• Fix behaviour with multi images in attest cmd by @cdupuis

v1.15.1

What's Changed

• Bug fixes by @cdupuis

New Contributors

• @neilprosser made their first contribution

v1.15.0

Highlights

• Add CycloneDX as output format for the sbom cmd

  $ docker scout sbom --format cyclonedx REF
  

Bug Fixes / Improvements

• Support to enable/disable repositories that were enabled via docker scout push or docker scout watch.
• Use high-to-low sort order for cves summary
  • Before:
    
  • After:
    
• Improve messaging when analysing oci directories without attentions. Only single arch image and multi arch image with attestations are supported. Multi arch image without attestation is not supported.
• Improve classifiers and sbom scanner:
  • Add classifier for liquibase lpm
  • Add support for buildkit extra sbom scanner args.
  • Add Rakudo Star/MoarVM binary classifier
  • Add binary classifiers for silverpeas utilities
• Improve reading and caching of attestations with containerd image store.

---

Contributors

v1.14.0

Highlights

• Add suppression information at the CVE level in the cves command.
  Accepted risk
  
  False positive
  
  Read more on how to manage vulnerability exceptions

Bug Fixes / Improvements

• Fix listing CVEs for dangling images (i.e local://sha256:...)
• Fix panic when analysing a file system input, for instance with docker scout cves fs://.

---

Contributors

v1.13.0

Highlights

• Add --only-policy filter option to quickview, policy and compare commands.
• Add --ignore-suppressed filter option to cves and quickview commands to filter out CVEs affected by Scout suppressions.

Bug Fixes / Improvements

• Use conditional policy name in checks.
• Enable detection golang main module via ldflags.

---

Contributors

v1.12.0

Highlights

• Only display vulnerabilities from the base image:

  $ docker scout cves --only-base IMAGE

• Account for VEX in quickview command.

  $ docker scout quickview IMAGE --only-vex-affected --vex-location ./path/to/my.vex.json

  uses: docker/scout-action@v1
  with:
    command: quickview
    image: [IMAGE]
    only-vex-affected: true
    vex-location: ./path/to/my.vex.json

• Account for VEX in cves command (GitHub Actions).

  uses: docker/scout-action@v1
  with:
    command: cves
    image: [IMAGE]
    only-vex-affected: true
    vex-location: ./path/to/my.vex.json

Bug Fixes / Improvements

• Update github.com/docker/docker to v26.1.5+incompatible to fix CVE-2024-41110.
• Update syft to 1.10.0.

---

Contributors

v1.11.0

Highlights

• Filter CVEs listed in the CISA Known Exploited Vulnerabilities catalog.

  $ docker scout cves [IMAGE] --only-cisa-kev
  
  ... (cropped output) ...
  ## Packages and Vulnerabilities
  
  0C     1H     0M     0L  io.netty/netty-codec-http2 4.1.97.Final
  pkg:maven/io.netty/[email protected]
  
  ✗ HIGH CVE-2023-44487  CISA KEV  [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
    https://scout.docker.com/v/CVE-2023-44487
    Affected range  : <4.1.100
    Fixed version   : 4.1.100.Final
    CVSS Score      : 7.5
    CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  ... (cropped output) ...

• Add --dry-run flag for docker scout push command to not push the image but process it.

• Switch to Scout v2 manifest format (application/vnd.scout.manifest.v2+json) using base64-encoded objects.

• Add new binary classifiers for spiped, swift, eclipse-mosquitto and znc.

Bug Fixes / Improvements

• Allow VEX matching when no subcomponents.
• Fix panic when attaching an invalid VEX document.
• Fix SPDX document root.
• Fix base image detection when image uses SCRATCH as the base image.

---

Contributors

v1.10.0

Bug Fixes / Improvements

• Add new classifiers for irssi, Backdrop, CrateDB CLI (Crash), monica, Openliberty, dumb-init, friendica, redmine
• Fix whitespace only originator on package breaking buildkit exporters
• Fix parsing image references in SPDX statement for images with a digest
• Support sbom:// prefix for image comparison

  $ docker scout compare sbom://image1.json --to sbom://image2.json

---

Contributors

v1.9.3

Bug Fixes

• Fix a panic while retrieving cached SBOM

---

Contributor

v1.9.1

Highlights

• Add support for the GitLab container scanning file format with --format gitlab on docker scout cves command
  Here is a pipeline example:

     docker-build:
    # Use the official docker image.
    image: docker:cli
    stage: build
    services:
      - docker:dind
    variables:
      DOCKER_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
    before_script:
      - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
         
      # Install curl and the Docker Scout CLI
      - |
        apk add --update curl
        curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- 
        apk del curl 
        rm -rf /var/cache/apk/* 
      # Login to Docker Hub required for Docker Scout CLI
      - echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin
  
    # All branches are tagged with $DOCKER_IMAGE_NAME (defaults to commit ref slug)
    # Default branch is also tagged with `latest`
    script:
      - docker buildx b --pull -t "$DOCKER_IMAGE_NAME" .
      - docker scout cves "$DOCKER_IMAGE_NAME" --format gitlab --output gl-container-scanning-report.json
      - docker push "$DOCKER_IMAGE_NAME"
      - |
        if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
          docker tag "$DOCKER_IMAGE_NAME" "$CI_REGISTRY_IMAGE:latest"
          docker push "$CI_REGISTRY_IMAGE:latest"
        fi
    # Run this job in a branch where a Dockerfile exists
    rules:
      - if: $CI_COMMIT_BRANCH
        exists:
          - Dockerfile
    artifacts:
      reports:
        container_scanning: gl-container-scanning-report.json

Bug Fixes / Improvements

• Support single arch images for docker scout attest add command
• Indicate if an image provenance has not been created using max mode on docker scout quickview and docker scout recommendations commands.
  Without max mode, base image might be auto-detected and might result in less accurate results.

---

Contributors