v1.9.1

Highlights

• Add support for the GitLab container scanning file format with --format gitlab on docker scout cves command
  Here is a pipeline example:

     docker-build:
    # Use the official docker image.
    image: docker:cli
    stage: build
    services:
      - docker:dind
    variables:
      DOCKER_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
    before_script:
      - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
         
      # Install curl and the Docker Scout CLI
      - |
        apk add --update curl
        curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- 
        apk del curl 
        rm -rf /var/cache/apk/* 
      # Login to Docker Hub required for Docker Scout CLI
      - echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin
  
    # All branches are tagged with $DOCKER_IMAGE_NAME (defaults to commit ref slug)
    # Default branch is also tagged with `latest`
    script:
      - docker buildx b --pull -t "$DOCKER_IMAGE_NAME" .
      - docker scout cves "$DOCKER_IMAGE_NAME" --format gitlab --output gl-container-scanning-report.json
      - docker push "$DOCKER_IMAGE_NAME"
      - |
        if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
          docker tag "$DOCKER_IMAGE_NAME" "$CI_REGISTRY_IMAGE:latest"
          docker push "$CI_REGISTRY_IMAGE:latest"
        fi
    # Run this job in a branch where a Dockerfile exists
    rules:
      - if: $CI_COMMIT_BRANCH
        exists:
          - Dockerfile
    artifacts:
      reports:
        container_scanning: gl-container-scanning-report.json

Bug Fixes / Improvements

• Support single arch images for docker scout attest add command
• Indicate if an image provenance has not been created using max mode on docker scout quickview and docker scout recommendations commands.
  Without max mode, base image might be auto-detected and might result in less accurate results.

---

Contributors

v1.8.0

Bug Fixes / Improvements

• Improve format of EPSS score and percentile
  • Before:

    EPSS Score      : 0.000440
    EPSS Percentile : 0.092510
    

  • After:

    EPSS Score      : 0.04%
    EPSS Percentile : 9th percentile
    

• Fix cves command when used to analyse a local file system with a markdown output. See #113

---

Contributors

v1.7.0

Highlights

• docker scout push command: index an image then push the resulting SBOM to Docker Scout

Bug Fixes / Improvements

• Fix adding attestation (like vex statements) to a private image
• fix image processing for scratch "images"
• docker scout sbom:// can read Scout's SBOM

  $ docker scout sbom IMAGE | docker scout qv sbom://

• Add classifier for Joomla

---

Contributors

v1.6.4

Bug Fix

Fix epoch handling for rpm-based images

---

Contributor(s)

v1.6.3

Bug Fixes / Improvements

• improve package detection to ignore referenced but not installed packages

---

Contributors

v1.6.2

Highlights

• EPSS data are now fetch backend side so the CLI doesn't need anymore to fetch them locally.
  In comparison to v1.6.0 --epss-date parameter has been removed and docker scout cache prune --epss has been removed.

Bug Fixes / Improvements

• fix an issue when rendering markdown output using sbom:// prefix

---

Contributors

v1.6.0

Highlights

• Add support for passing in SBOM files in SDPX or in-toto SDPX format

  $ docker scout cves sbom://path/to/sbom.spdx.json

• Add support for SBOM files in syft-json format

  $ docker scout cves sbom://path/to/sbom.syft.json

• Reads sbom files from the standard input

  $ syft -o json alpine | docker scout cves sbom://

• Prioritise CVEs by EPSS score
  • --epss to display and prioritise the CVEs
  • --epss-score and --epss-percentile to filter by score and percentile
  • prune cached EPSS files with

    $ docker scout cache prune --epss

• Use Windows cache from WSL2
  When inside WSL2 with Docker Desktop running, the docker scout CLI will now use the cache from Windows side. That way if an image has been indexed for instance by Docker Desktop there's no need anymore to re-index it on WSL2 side.
• Indexing using the CLI is now blocked if it has been disabled using Settings Management feature

Bug Fixes / Improvements

• Fix panic when indexing single image oci-dir input
• Improve local attestation support with the containerd image store

---

Contributors

v1.5.2

General bug fixes and performance improvements

v1.5.1

What's Changed

• Fix panic on single image oci-dir input by @cdupuis

v1.5.0

Highlights

• Cache SBOM and attestations using the image index digest if exists
• Add file hashes/digest when generating SBOMs
• Upgrade syft to 0.105.0
• Process OpenVEX document before attaching to image to move subcomponents into product, product into subject
• Support local attestations from a containerd image store or OCI export

Bug fixes / Improvements

• fix reading SBOM for gcr.io/distroless images
• read distribution in SBOM from attestations
• fix docker scout push with an image reference containing a prefix like registry://